Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Logout inactiv User
So i noticed that if i login and dont logout i am gonna be online forever...
And i was wondering is possbile to make in vanilla a logout user if inactiv for 5 minute ?
Thank you in advance !
0
Comments
that would be fun to have happen , what if the user wants to remain online forever?
The cookies is what keeps you logged in. Just dump the cookies and you will be logged out.
❌ ✊ ♥. ¸. ••. ¸♥¸. ••. ¸♥ ✊ ❌
Use javascript with a 5 minute timeout that clears the session cookie. Easy to bypass (just disable js).
Use a modified version of whos online (which updates a table every time a user takes an action) to invalidate sessions when users haven't acted in 5 minutes (on next page load).
Search first
Check out the Documentation! We are always looking for new content and pull requests.
Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.
@bogdancristian: what @hgtonight has suggested is cleaner and less dangerous than modifying a core file, but the function you are looking for is
SetIdentity
in/library/core/class.cookieintity.php
and you could change the expiration time for the session cookie there.btw: it would be easy to change
$Expiration = $Expire = time() + 2592000;
to$Expiration = $Expire = time() + C('Garden.Cookie.Expiration');
and add$Configuration['Garden']['Cookie']['Expiration'] = '300'; // specify in minutes
to theconfig.php
Where can I post change requests? :-))
GIthub
There was an error rendering this rich post.
nice solution,
but the question is a timeout in general. although I would think having a timeout would just enrage forum users, Having to login again. And would be defeating the pupose of a forum. Then if the goal was to limit users time on the forum, you would need to track when they last logged in, to prevent them from logging in, otherwise it just seems like a bad experiment.
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.
I could see it being useful from a security standpoint. Require users to remain active on the site or require a login.
Seems a blunt weapon though.
Search first
Check out the Documentation! We are always looking for new content and pull requests.
Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.
explain how this is more secure. you mean if they leave their machine unattended.
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.
Yes. My banking software has a tendency to invalidate sessions after 7 minutes of inactivity. Not any more secure from the internet standpoint, but more of an IRL safeguard against other people using your computer.
Search first
Check out the Documentation! We are always looking for new content and pull requests.
Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.
I just hate that, mine asks for 3 passwords and the output of an external number generator and if you don't hurry you must do it again . It is irritating to say the least.
If this happened in a forum, I would not go back .... You can secure your computer without having to log out. Besides most people have their login info saved in the browser and it would be easy for someone to just log in if they want.
❌ ✊ ♥. ¸. ••. ¸♥¸. ••. ¸♥ ✊ ❌
Thank you for the interess in this idee.
R_J thank you very much for the "tutorial" really helps me beeing a complet newbb in the vanilla i will try it and post a feed back on the matter.
Thank you all for the interess shown in my little problem !
@bogdancristian: Rubbish. I've told you complete rubbish. Sorry about that. When you change the cookie lifetime according to what I've told you, your users will get logged out every 5 minutes. Even if there in the middle of wrighting a comment, looking at some discussions or whatsoever.
I have also a longer answer, but I wanted to warn you as soon as possible to not use this modification!
Seriously you can expire cookies, but it is the user responsibility to manage them ultimately.
There is no such thing as "logged in" http is stateless. You might clear the session reference.
grep is your friend.
Vanillas default is "Keep me signed in for 30 days" and if you do not want to stay logged in, you will be logged out as soon as you close the browser. I think that is what you want.
So if you look at the forum from another computer, just sign in without using the "Keep me signed in" checkbox.
If you do not want to allow your users to stay logged after closing their browser, you'll need to hide the option per custom.css or change the views in your theme.
But be aware that any smartass can use this function anyway, as long as you do not change the corresponding controller. But I'd say that if someone is doing so, he has deserved being logged in for a longer period and he should know about the risks.
I think @vrijvlinder was right: what your planning to do would annoy your users. If I see a checkbox "[ ] Keep me signed in" I expect to stay logged in longer than 5 minutes. So you may want to overthink your plans in regard to that.
But if you really want to kick all your users after 5 minutes I'd think that @hgtonight s approach would be best.
Sorry again for misleading you to a solution that was none.
If you take a look at
http://vanillaforums.org/get/onesession-plugin-0.1.1b
That plugin doesn't do what you want it checks that people are not using multiple clients, or clients with multiple sessions.
It requires vanilla session, plus a moving target cookie. If both are not provided it logs the person out of that session. Bit complicated for what you need but it has a 60 second default refresh. In this case it regenerates another cookie, however you could create something that kills the session.
5 minutes seems a bit harsh, you are not an online bank.
The simplest (not the most full proof) method would be to create a cookie that expires in 5 minutes, then check for the session and that cookie, you can then extend each time a request is made where it still exists, and log out if not. It is not an unbeatable way, but I'm guessing the point of this is to protect you users, so if they want to get round it that is their problem.
grep is your friend.
Is this possible and how ! Thank you in advance !
Can i just change the "Keep me logged in" option ?
So every time the user close the broswer they loggout? This would be the perfect scenario!
Thank you! in advance
to uncheck box in php (you could do it js also.
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.
@peregrine
Thank you for the help, this works like a charme i just change the values from 1 -> 0 and then commented the hole "keep me signin" function and did the signin button the size of the input fild of name and password. Thank you very much! big help !
since you put it that way. You are very welcome .
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.