HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Please upgrade here. These earlier versions are no longer being updated and have security issues.

Logout inactiv User

So i noticed that if i login and dont logout i am gonna be online forever...
And i was wondering is possbile to make in vanilla a logout user if inactiv for 5 minute ?

Thank you in advance !

Comments

  • vrijvlindervrijvlinder Papillon-Sauvage MVP

    that would be fun to have happen , what if the user wants to remain online forever?

    The cookies is what keeps you logged in. Just dump the cookies and you will be logged out.

    UnderDog
  • hgtonighthgtonight ∞ · New Moderator

    Use javascript with a 5 minute timeout that clears the session cookie. Easy to bypass (just disable js).

    Use a modified version of whos online (which updates a table every time a user takes an action) to invalidate sessions when users haven't acted in 5 minutes (on next page load).

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • R_JR_J Ex-Fanboy Munich Moderator

    @bogdancristian: what @hgtonight has suggested is cleaner and less dangerous than modifying a core file, but the function you are looking for is SetIdentity in /library/core/class.cookieintity.php and you could change the expiration time for the session cookie there.

    btw: it would be easy to change $Expiration = $Expire = time() + 2592000; to $Expiration = $Expire = time() + C('Garden.Cookie.Expiration'); and add $Configuration['Garden']['Cookie']['Expiration'] = '300'; // specify in minutes to the config.php

    Where can I post change requests? :-))


    peregrinebogdancristian
  • UnderDogUnderDog Moderator

    @R_J said:
    Where can I post change requests? :-))

    GIthub

  • peregrineperegrine MVP
    edited July 2013

    @R_J said:
    bogdancristian: what hgtonight has suggested is cleaner and less dangerous than modifying a core file, but the function you are looking for is SetIdentity in /library/core/class.cookieintity.php and you could change the expiration time for the session cookie there.

    btw: it would be easy to change $Expiration = $Expire = time() + 2592000; to $Expiration = $Expire = time() + C('Garden.Cookie.Expiration'); and add $Configuration['Garden']['Cookie']['Expiration'] = '300'; // specify in minutes to the config.php

    Where can I post change requests? :-))

    nice solution,

    but the question is a timeout in general. although I would think having a timeout would just enrage forum users, Having to login again. And would be defeating the pupose of a forum. Then if the goal was to limit users time on the forum, you would need to track when they last logged in, to prevent them from logging in, otherwise it just seems like a bad experiment.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • hgtonighthgtonight ∞ · New Moderator

    I could see it being useful from a security standpoint. Require users to remain active on the site or require a login.

    Seems a blunt weapon though.

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • I could see it being useful from a security standpoint. Require users to remain active on the site or require a login.

    explain how this is more secure. you mean if they leave their machine unattended.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • hgtonighthgtonight ∞ · New Moderator
    edited July 2013

    @peregrine said:
    explain how this is more secure. you mean if they leave their machine unattended.

    Yes. My banking software has a tendency to invalidate sessions after 7 minutes of inactivity. Not any more secure from the internet standpoint, but more of an IRL safeguard against other people using your computer.

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

    peregrineUnderDog
  • vrijvlindervrijvlinder Papillon-Sauvage MVP

    @hgtonight said:
    Yes. My banking software has a tendency to invalidate sessions after 7 minutes of inactivity.

    I just hate that, mine asks for 3 passwords and the output of an external number generator and if you don't hurry you must do it again . It is irritating to say the least.

    If this happened in a forum, I would not go back .... You can secure your computer without having to log out. Besides most people have their login info saved in the browser and it would be easy for someone to just log in if they want.

  • edited July 2013

    Thank you for the interess in this idee.

    • First point the forum is a modify version of embeded, so its in another project of meine.
    • As a normal user i visit the Forum i login everithing is normal but if i need to run somewere of use the "WC" or something and forghet to logout and i just close complete the broswer? i reamin login the forum until i logout
    • If somebody else uses the same computer and its a membar of the same forum, when he tries to go into the forum he will be logged in "my" account.
    • And maby just for fun send's some "not so nice" messagess or stars "ugly" discussions ?

    R_J thank you very much for the "tutorial" really helps me beeing a complet newbb in the vanilla i will try it and post a feed back on the matter.

    Thank you all for the interess shown in my little problem !

  • R_JR_J Ex-Fanboy Munich Moderator

    @bogdancristian: Rubbish. I've told you complete rubbish. Sorry about that. When you change the cookie lifetime according to what I've told you, your users will get logged out every 5 minutes. Even if there in the middle of wrighting a comment, looking at some discussions or whatsoever.

    I have also a longer answer, but I wanted to warn you as soon as possible to not use this modification!


  • Seriously you can expire cookies, but it is the user responsibility to manage them ultimately.

    There is no such thing as "logged in" http is stateless. You might clear the session reference.

    grep is your friend.

  • R_JR_J Ex-Fanboy Munich Moderator

    Vanillas default is "Keep me signed in for 30 days" and if you do not want to stay logged in, you will be logged out as soon as you close the browser. I think that is what you want.
    So if you look at the forum from another computer, just sign in without using the "Keep me signed in" checkbox.

    If you do not want to allow your users to stay logged after closing their browser, you'll need to hide the option per custom.css or change the views in your theme.
    But be aware that any smartass can use this function anyway, as long as you do not change the corresponding controller. But I'd say that if someone is doing so, he has deserved being logged in for a longer period and he should know about the risks.

    I think @vrijvlinder was right: what your planning to do would annoy your users. If I see a checkbox "[ ] Keep me signed in" I expect to stay logged in longer than 5 minutes. So you may want to overthink your plans in regard to that.

    But if you really want to kick all your users after 5 minutes I'd think that @hgtonight s approach would be best.

    Sorry again for misleading you to a solution that was none.


  • x00x00 MVP
    edited July 2013

    If you take a look at
    http://vanillaforums.org/get/onesession-plugin-0.1.1b

    That plugin doesn't do what you want it checks that people are not using multiple clients, or clients with multiple sessions.

    It requires vanilla session, plus a moving target cookie. If both are not provided it logs the person out of that session. Bit complicated for what you need but it has a 60 second default refresh. In this case it regenerates another cookie, however you could create something that kills the session.

    5 minutes seems a bit harsh, you are not an online bank.

    The simplest (not the most full proof) method would be to create a cookie that expires in 5 minutes, then check for the session and that cookie, you can then extend each time a request is made where it still exists, and log out if not. It is not an unbeatable way, but I'm guessing the point of this is to protect you users, so if they want to get round it that is their problem.

    grep is your friend.

    • Ok, but i just want to make logout if the users let's open the forum or to logout when close the broswer, can i do that with one session plug in ? or if not can you tell me were to change and what to change so i can do that.
    • My problem is if a user leave the computer and he dose not logout he will stay login and when the next users comes at this computer will be login with the account from the last user, that is why i want to make the forum autoLogout if the user was inactiv for 5 minute.
    • The signIn and signOut they are hidden(in the CSS) because i have the "ForceGuestSignIn" so when the user click's and he is not login will ask him to login and then and if he stay's more then 5minte on the forum and dont use it, then to log him out.

    Is this possible and how ! Thank you in advance !

  • Can i just change the "Keep me logged in" option ?

    • So the default is "Keep me logged in" checkbox its on !
    • Can i make it Off ?
      So every time the user close the broswer they loggout? This would be the perfect scenario!

    Thank you! in advance

  • to uncheck box in php (you could do it js also.

    applications/dashboard/views/entry/signin.php
    
    to 
    
    /themes/THETHEMEYOUAREUSING/views/entry/signin.php
    
    then in
    /themes/THETHEMEYOUAREUSING/views/entry/signin.php
    
    do the same thing for your mobile theme
    
    look for a line like this.
    
    
    <div class="Buttons">
       <?php
          echo $this->Form->Button('Sign In', array('class' => 'Button Primary'));
          echo $this->Form->CheckBox('RememberMe', T('Keep me signed in'), array('value' => '1', 'id' => 'SignInRememberMe'));
       ?>
    
    
    change the value from 1 to 0
    
    
    depending on how things are setup
    
    do the same thing for
    
    views/entry/auth/password.php:
    

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

    UnderDoghgtonightbogdancristian
  • @peregrine

    Thank you for the help, this works like a charme i just change the values from 1 -> 0 and then commented the hole "keep me signin" function and did the signin button the size of the input fild of name and password. Thank you very much! big help !

    UnderDoghgtonight
  • @bogdancristian said:
    peregrine

    Thank you for the help, this works like a charme i just change the values from 1 -> 0 and then commented the hole "keep me signin" function and did the signin button the size of the input fild of name and password. Thank you very much! big help !

    since you put it that way. You are very welcome :).

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

    UnderDogbogdancristian
Sign In or Register to comment.