Hi all,
after several attempts to find someone who could help me answer this question, this is my last try. Forgive me for starting yet another thread about this, but I have no other idea how to hopefully get a little attention with this question.
Here goes:
If you know whether or not user sessions time out at all in MyBB, meaning, whether or not a logged in user who has not ticked the "remember me" box and who is inactive gets logged out by the system, please share your knowledge and let me know.
All I would like to know is after what time a user's session times out, and if and how I can set that time limit to my liking.
The reason why I want to know this is that the longer that timeout is, the more likely a user's account can get hijacked simply because they forget to log out on a shared or public computer.
I can really not understand why no one has given me any answer to this so far, I'm totally puzzled. Is this topic some kind of taboo on these forums? Have I unknowingly annoyed someone? What is going on?
Whatever it is, I can simply not believe that no one knows the answer to this question.
This is not an unimportant question. Please, help me out with this...
Cheers,
Matt
at present we may not have better response than
this ..
Well, I'm not entirely sure if that's what Matt meant in his post there - but setting the time in the "Who's online" settings does not set the session timeout. I just tried it, it just doesn't. (The thread there seems to be locked, by the way, no reply button anywhere.)
So far, I've tested it for up to 40 minutes, and the user that I set up for this test in my forums did not get logged out even after 40 minutes. I'll try over night now, but I have a feeling the user will still be logged in tomorrow when I wake up. And I don't like it.
Am I naive? Is it hard to set a session timeout? But hard or not, I think it's an essential safety feature for a forum software... it would really, truly worry me if MyBB had no session timeout.
There seems to be a session timeout for the ACP though, so if it's implemented there, why would it be hard to implement it for normal users as well, if it isn't already? And if it is, why can noone tell me where to change the time limit? I would be happy to change the code, it doesn't have to be a convenient feature of the ACP (although I definitely think that's where it really belongs).
Really stunned that this is so hard to find out. When I thought about this the first time, I thought "Well, search, if you don't find it, ask, and you'll probably have the answer in a few hours." So far, I have nothing.
Confused.
Cheers,
Matt
The authentication does not use sessions, it uses a cookie (mybbuser).
there is no automatic logout for the board. the cookie is good for one year (if you select remember me) or for the browser session (expires=0). so if you dont close your browser you stay logged in.
the admin area has a 15 minute expire time, but not the regular board area. if you want to make the regular user session expire after a set amount of time, you need to make some core edits.
This "should" work
in member.php find (around line 244):
my_setcookie("mybbuser", $user_info['uid']."_".$user_info['loginkey'], null, true);
and change it to:
my_setcookie("mybbuser", $user_info['uid']."_".$user_info['loginkey'], TIME_NOW + (60 * 15), true);
in member.php find (around line 1071):
$remember = -1;
and change it to:
$remember = TIME_NOW + (60 * 15);
That will use a 15 minute session. Change that 15 to the number of minutes you want the sessions to last.
Hi Stefan, I'm sorry if I messed up nomenclature. By "sessions" I was only referring to the "session" from the user's perspective, referring to each time the user logs in and uses the forums. I really don't have any preference about how to achieve that such a "session" forcefully times out, be it via sessions or any other way, as long as it's reliable and safe.
Pavemen, thanks so much for your instructions! I will try them out and let you know if they work. The auto logoff feature, which I really need, is the only thing that stands between my project and MyBB, so anything that helps me solve this really makes me happy because I really, really want to use MyBB!
By the way, how does the admin area achieve the 15 minute expiry time? Is that done in the same way? Still don't understand why it's not core, especially if these few lines of code achieve this. Of course I might be overlooking something, just don't understand. If it's a user acceptance thing, that could be left to the forum owner to decide I think, rather than not including that feature. But I'm only guessing around here.
Will try it out now. Thanks heaps!
Matt
The ACP uses its own session system which is bound to the iprange and times out after a certain period.
Hi again,
pavemen, I have tried to carefully implement your suggestion as per your previous post, but so far without success.
I have also poked around a little and tried some changes to your suggestions, admittedly and probably obviously with next to zero php experience:
a) "(60 + 15)" instead "(60 * 15)"
b) "(15)" instead "(60 * 15)"
c) "15" instead "(60 * 15)"
To be sure, I performed each test of each variation with a newly created user that had never before ticked the "remember me" box. I also made sure I was not logged in with an admin user while doing the tests either, in case that would influence it somehow.
Unfortunately, no success, the user was still logged in after 16 minutes of inactivity every time.
Do you have any recommendations what to try next?
Cheers,
Matt
so when you applied the edits and made sure to upload the modified file, when you login if you you let you browser site idle for 16 minutes and then click another link on your site, it should show you as not logged in. It must be a page that is not in your browser's cache though otherwise your browser may be pulling from the cache and not the new page.
since it is cookie based, it won't just log you out, it only works on the next page load.
also, the cookie time is in Unix time (seconds) so it needs to be TIME_NOW + (60 * MinutesToStayLoggedin)
Wow man, that's almost real time support you're giving me here, thank you so much!
I understand it will only show me as logged out on the next page load. That would be all I want.
It's exactly as you say: Modified file as per instructions, uploaded and overwrote old file on server, logged in as user without ticking "remember me", then waited 16 minutes without any activity or clicking, then clicked e.g. on the "user cp" link to get to the user's control panel (a page which I had not visited ever before with that user, since I created that user just to test this, so can't really be in any cache), it just leads me to the user cp page - and does not show me as not logged in, as I would want it to.
Thanks for the hint re the unix time in seconds, will do that then. Although the "+" should only have resulted in an earlier logging out of the user then, so that can't have anything to do with why it's not logging out as far as I can see.
Not sure what I might be doing wrong. Happy to try and test anything you can suggest... and I will be writing a tutorial for your solution once it's working I think!
Matt