Login Status Timeout

yinsw · Post by **yinsw** » Mon Jul 15, 2024 11:21 am

I'm trying to simulate Login Status Timeout and can't seem to get it work. Below is my setting:

Disallow concurrent login = True
Maximum concurrent login count = 1
Logout concurrent login = False
Login status timeout (minutes) = 3

Advanced Setting

Session timeout period (minutes) = 2
Session keep alive internal (seconds) = 0
Session time out countdown period (seconds) = 60

I have tested a few scenario:

Login and leave the browser idle for 2 minutes:
- It will show session timeout after 1 minute. After 2 minutes it will auto logout and show "Your session has expired." (Correct).
Login using Firefox and try to login the same using using another browser (Chrome).
- Do not allow concurrent login (correct).
Login to website and then close the browser.
- Open the same browser using the same browser after 3 minutes (to be safe I opened after 4 minutes). Login status timeout setting of 3 minutes does not work. It still says "User 'xxx' already logged in.

The option "Login status timeout" not for this purpose or is there something else I did not set for this to work?

From documentation

The number of idle minutes after which the login status will be considered as logged out and login will be allowed again.

If a logged-in user does not explicitly log out (for example, close the browser directly), the user session is not closed and the user's login status will remain as "logged in". Attempts to login again will fail. This timeout setting ensures login will be allowed again after a period of idle time.

arbei · Post by **arbei** » Mon Jul 15, 2024 11:35 am

The setting is for checking concurrent user login status.

yinsw · Post by **yinsw** » Mon Jul 15, 2024 11:54 am

So meaning there is no way to auto-logout or make their session timeout if they accidentally close the browser and the concurrent user is set to 1, they have request administrator to login and "Force Logout" from the Users module?

arbei · Post by **arbei** » Mon Jul 15, 2024 4:13 pm

No, you cannot know when the user "accidentally close the browser", that's what the timeout setting for -- treat the user session as expired if no activities after some time. You may also consider setting the other setting Maximum concurrent user session count.

yinsw · Post by **yinsw** » Mon Jul 15, 2024 7:15 pm

I have to set the "Maximum concurrent user session count" to 1 as I don't allow user to login again from another browser.

Can I able to manually check the last accessed timestamp and compare against the session timeout, and force logout the user in the User_LoggingIn event so that he will able to login again in case the user accidentally close the browser? As per my setting above now, if he accidentally close the browser, he will forever can't login even with any timeout i set in the setting unless I force logout the user as administrator

arbei · Post by **arbei** » Mon Jul 15, 2024 8:05 pm

After the "Login status timeout (minutes)", if no more activities detected (e.g. close the browser and not open again) the user session should be considered as expired, and the user should be again to login again.
You might have experimented a lot, you better delete all the session data in the profile field and all cookies for your site from your browser and test again.
If you want to check the session yourself, you can call Profile()->getConcurrentSessions() and manipulate them manually (and saved them afterwards), you may use var_dump() to view them first or view the data in the profile field directly.
I'd suggest that you enable "Remember me" so that a cookie will be set after login. Even the user closes the browser accidentally, the cookie will allow the web app to recover the session, and there is no need to login again.