2012-02-08, 08:25 PM
Hi all,
the following is only meant for users who did not tick the "remember me" box.
Is there a setting somewhere that allows me to define a time after which, if a logged in user is not active, they get logged out automatically?
This would be extremely helpful to lessen the risk of someone taking over someone else's account when they forget to log out on a shared or public computer. I would prefer to set this to something like 24 hours, or even a lot less, down to an hour maybe. Most of my users would never run into that time limit; they will visit the forums frequently, but only for sessions that will be much shorter than an hour.
Yes, I actually want to kick my users out of their current session if they are not doing anything for a while, say, for 15 minutes. I consider the inconvenience worth the increase in security for the community.
I believe the ACP behaves like that, and logs you out after some time of inactivity. I really want the same behaviour for all users, admin or not. By the way, how long is the ACP timeout for that, and where is it set? Can it be shortened?
I don't mind whether it's an existing setting, a plugin, or a hack, as long as some knowledgeable soul can tell me how to achieve that reliably... please?
As far as MyBB out-of-the-box goes: Does a user (who did not tick the "remember me" box) get logged out at all after any amount of inactive time, or does a user stay logged in forever? What does end a user's session?
Cheers,
Matt
[sorry for the previous editing chaos in this post, hope it is clearer now what I mean]
In a perfect world, I would be able to set a session timeout value to my liking in the ACP, for example 15 minutes.
Then, when the last minute of that countdown starts, a window pops up to ask the user if they want to extend their session by another 15 minutes.
If they click yes, they are required to enter their password, after which the session countdown resets, and their session is extended by 15 more minutes. If they do not enter the correct password, the session timer runs out, and the use is forcefully logged out.
I'm not expecting that to be possible any time soon, just as a suggestion which in my humble opinion would be a valuable addition to MyBB, especially for forums which are used for more critical purposes than "just" recreation and hobbies.
I would be worried if I can not at least set a basic inactivity session timeout as described in my first post. Really hoping there is at least a hack for it that is half workable.
Cheers,
Matt
Does part of the answer lie in here maybe?
Found in class_session.php:
the following is only meant for users who did not tick the "remember me" box.
Is there a setting somewhere that allows me to define a time after which, if a logged in user is not active, they get logged out automatically?
This would be extremely helpful to lessen the risk of someone taking over someone else's account when they forget to log out on a shared or public computer. I would prefer to set this to something like 24 hours, or even a lot less, down to an hour maybe. Most of my users would never run into that time limit; they will visit the forums frequently, but only for sessions that will be much shorter than an hour.
Yes, I actually want to kick my users out of their current session if they are not doing anything for a while, say, for 15 minutes. I consider the inconvenience worth the increase in security for the community.
I believe the ACP behaves like that, and logs you out after some time of inactivity. I really want the same behaviour for all users, admin or not. By the way, how long is the ACP timeout for that, and where is it set? Can it be shortened?
I don't mind whether it's an existing setting, a plugin, or a hack, as long as some knowledgeable soul can tell me how to achieve that reliably... please?
As far as MyBB out-of-the-box goes: Does a user (who did not tick the "remember me" box) get logged out at all after any amount of inactive time, or does a user stay logged in forever? What does end a user's session?
Cheers,
Matt
[sorry for the previous editing chaos in this post, hope it is clearer now what I mean]
In a perfect world, I would be able to set a session timeout value to my liking in the ACP, for example 15 minutes.
Then, when the last minute of that countdown starts, a window pops up to ask the user if they want to extend their session by another 15 minutes.
If they click yes, they are required to enter their password, after which the session countdown resets, and their session is extended by 15 more minutes. If they do not enter the correct password, the session timer runs out, and the use is forcefully logged out.
I'm not expecting that to be possible any time soon, just as a suggestion which in my humble opinion would be a valuable addition to MyBB, especially for forums which are used for more critical purposes than "just" recreation and hobbies.
I would be worried if I can not at least set a basic inactivity session timeout as described in my first post. Really hoping there is at least a hack for it that is half workable.
Cheers,
Matt
Does part of the answer lie in here maybe?
Found in class_session.php:
// If the last visit was over 900 seconds (session time out) ago then update lastvisit.
$time = TIME_NOW;
if($time - $mybb->user['lastactive'] > 900)
{
$db->shutdown_query("UPDATE ".TABLE_PREFIX."users SET lastvisit='{$mybb->user['lastactive']}', lastactive='$time' {$lastip_add} WHERE uid='{$mybb->user['uid']}'");
$mybb->user['lastvisit'] = $mybb->user['lastactive'];
require_once MYBB_ROOT."inc/functions_user.php";
update_pm_count('', 2);
}
else
{
$timespent = TIME_NOW - $mybb->user['lastactive'];
$db->shutdown_query("UPDATE ".TABLE_PREFIX."users SET lastactive='$time', timeonline=timeonline+$timespent {$lastip_add} WHERE uid='{$mybb->user['uid']}'");
}