This site has been archived and you can no longer log in or post new messages. For up-to-date community resources please visit ezplatform.com

eZ Community » Forums » Setup & design » Automatic logout after period of...
expandshrink

Automatic logout after period of inactivity eZ 5

Automatic logout after period of inactivity eZ 5

Thursday 28 May 2015 3:27:20 pm - 4 replies

Hi there,

I've read : http://share.ez.no/forums/setup-design/automatically-logout-user-after-some-period-of-inactivity

But the topic seems to be quite old. SessionTimeout and ActivityTimeout don't seem to work.

As explained in the topic title, i want to log out a user automatically after a period of time.

I have set the "cookie_lifetime" in ezpublish.yml file under each siteaccess. But is there another conf to separate "lifetime" and "inactivity" ?

In deed, i want the cookie to last 12 hours, but i want it to be destroyed after 4 hours of inactivity (no clicks on links for 4 hours).

I'm not using any database.

Do I have to "manage" the 4 hours of inativity myself or is there a conf which does this that I'm not aware of ?

like :

cookie_lifetime: 43200
cookie_inactivity: 14400

Thanks a lot. Cheers.

Modified on Thursday 28 May 2015 3:30:16 pm by Task Mikaël

Thursday 28 May 2015 10:22:41 pm

Hello Task,

Two questions need to be answered to provide the 'best' answer to your question.

Question #1: What version of eZ Publish are you using? (Because the answer is version specific)

Question #2: What siteaccess (user or admin) and what stack are you trying to affect? (Because the admin is still controlled by legacy settings in this regard)

Question #3: What do you mean by "I'm not using any database"? Very very few (if any) people use eZ Publish without a database as the point of using a CMS is content management which is database based. I'm confused :?

If your trying to affect the user siteaccess, not in legacy mode, within new stack (symfony based) and your using an eZ Publish Platform version greater than 5.3 / 2014.01 then the answer is a symfony based one.

I did a quick search (without testing mind you) and it seems this answer has already been answered (very well I might add) on StackOverflow:

http://stackoverflow.com/questions/18872721/symfony2-security-automatic-logout-after-an-inactive-period/18873331#18873331

If your use case / conditions do not exactly match any of the above solutions specific use case requirements then the answer is this is controlled by legacy settings and you want to set 'SessionTimeout' setting for 12 hours (in seconds).

After some exhausting research (who knew sessions could be so simple and yet so complicated with so much technical debt in legacy big-smile.gif Emoticon) It seems that the 'ActivityTimeout' feature is used within the deprecated 'ezpSessionHandlerDB' session handler. I find that 'ActivityTimeout' setting is used basically only for user module fetch functions (like online user list feature that few use these days) and -not- for affecting an actual user session -in any way-.

With so much lack of sleep in the last two weeks I'm more than prepared I'm wrong on this point but I kinda doubt it.  I tested the use of the 'CookieTimeout' setting and session cookie expiration / setting and hoped it might be useful but basically it is used when a session is created and not related to keeping a session alive if they are reloading the page / using the site.

In short, and I'm sorry I do not see a way to implement the functionality you desire without created extension based kernel class overrides to implement the functionality you desire with regards to user session ending / extending based on an activity timeout setting / feature (not provided by default). I could do it, so I know it is possible but I'm not sure I like how it would need to be implemented.

I think it would require the creation of a kernel class override of the 'eZUser' class (not entire datatype) to customize the instance method to first per request always call, 'updateLastVisit' regardless of the value of '$GLOBALS['eZSessionIdleTime']' which in the current session handler is 0 by default.

Edit conditional (remove or add setting or case) Re: https://github.com/ezsystems/ezpublish-legacy/blob/master/kernel/classes/datatypes/ezuser/ezuser.php#L1211

That way you can securely track the user's last visit timestamp. But it comes at an expensive cost in terms of database performance but if this is only for a legacy admin siteaccess and a customer was paying, I'd implement it.

Next you will want to add code to compare the current timestamp minus the 'CustomAdminActivityTimeout' setting (I recommend a custom extension based setting file to keep this clean and flexible) with the user's last visit to determine if the user needs to be logged out and if so perform the calls needed to exiting code to log a user out properly. For a lot of where best to put this logic vs ezp technical reasons (and lack of sleep finishing this post), I would place this code within a kernel class override of the 'eZUserLoginHandler' class method 'checkUser':

https://github.com/ezsystems/ezpublish-legacy/blob/master/kernel/classes/datatypes/ezuser/ezuserloginhandler.php#L176

I would do this since it seems to best fit with the existing low level kernel initialization / existing usage use case(s). Re: 

https://github.com/ezsystems/ezpublish-legacy/blob/master/kernel/private//classes/ezpkernelweb.php#L1168

https://github.com/ezsystems/ezpublish-legacy/blob/master/kernel/classes/datatypes/ezuser/ezuserloginhandler.php#L142

The rest is just trivial implementation specifics and logic; nothing very hard to write or test. BTW, remember to enable kernel class overrides in config.php and regenerate kernel class overrides with ./bin/php/ezpgenerateautoloads.php --kernel-override; Though you might need to remember that kernel overrides are installation not siteaccess specific (in case this matters for your use case(s)). 

Here is some legacy documentation: https://doc.ez.no/eZ-Publish/Technical-manual/4.x/Reference/Configuration-files/site.ini/Session/CookieTimeout

https://doc.ez.no/eZ-Publish/Technical-manual/4.x/Reference/Configuration-files/site.ini/Session/ActivityTimeout

https://doc.ez.no/eZ-Publish/Technical-manual/4.x/Reference/Configuration-files/site.ini/Session/SessionTimeout

https://doc.ez.no/eZ-Publish/Technical-manual/4.x/Reference/Configuration-files/site.ini/Session

Please feel free to ask more questions. Apologies if I'm way off, it's been a long day but I fought hard to stay awake to finish this post before I crash hard big-smile.gif Emoticon

I really hope this helps! 

Cheers,
Heath

Modified on Friday 29 May 2015 12:02:55 am by // Heath

Friday 29 May 2015 3:07:29 pm

Hi !!

Thank for taking so much time to answer !

I used the listener "Comakai" and it is working,

By "no database" i meant not using the table "ezsession" to store the sessions. i let PHP handle it.

As for now, i'm not able to manage properly each user. But the client is not asking for more. 12 hours for the session with "cookie_lifetime" is enough.Each user is not supposed to stay on a page 4 hours doing nothing ... (except if he forgot to close browser while going home after work).

I can see that you have a lot to do. Opposite from Game of thrones, SUMMER is coming. Be strong, and don't forget to take time for yourself.

I'll try not to ask too much for every little problem I have :p

Thanks. Cheers.

Saturday 30 May 2015 12:29:44 am

Hello Task,

I've very happy to have been able to help you with this question / solution.

I'm also glad you got the suggestion working to be able to provide for your site's unique requirements cleanly.

I understand now what you mean about 'no database', which was not clear before. The 'ezsession' table was used by a much older and long ago deprecated session handler which provided for 'admin' based session management among other things.

Today we all most all use php to handle the sessions and thus we no longer can provide an admin ui for management of them (but I personally don't think it's necessary today either).

Appologies for my late reply, I was away from the internet today big-smile.gif Emoticon Volunteering at a local food bank (to help others in another capasity). Hehehe it seems like I never really stop helping those around me be it at the food bank or in the eZ Community! But then again I do very much enjoy being able to help others and make a direct, very real and positive impact in other peoples lives .. for good.

My friends joke around and call me 'The Order of the Good'. It makes me smile.

Re: "Opposite from Game of thrones, SUMMER is coming". Well, for me, in my area, the Heat is already very much On which makes me feel like Summer is already here and burning me alive (I prefer the cold climates more myself).

Well all that said, I'm going to take the rest of the evening off (If I can help it / keep away) and go to bed early. I'm exhausted from working so hard all day (very hard and physical work at the food bank) and I have another very long day ahead of myself tomorrow (handling weekend personal chores). 

Re: "I'll try not to ask too much for every little problem I have :p". No worries! Your questions are just fine. So please feel free to keep being active in the forums as it does help other people long term. Plus most in the eZ Community love it when the forums are active instead of being silent!

I only ask that people learn to build them selves up to become better developers (#1), do the research as best you can (via search, code review, testing, experimenting, etc) everything a good developer would do before asking others to do their work for them (#2) and finally when ever possible try to ask your questions / get answers in the most appropriate place (#3). We help support people with eZ Publish first and foremost (and a lot of related topics) but if you question is not really eZ Publish specific (like how to recompile your linux kernel, lol) then we here are not honestly the 'best' or even 'right' place to ask for support for those kind of questions. As I say their are way better forums on the internet for everything else blunk.gif Emoticon

That said, Like I was taught at a very young age ... I insist that, "The only bad question really is the question that's not asked ...". So please feel free, I encourage you, to continue to engage with the community here in the share.ez.no forums happy.gif Emoticon

Take it eZ!

Cheers,
Heath

Monday 01 June 2015 11:07:20 am

Hello Task,

One last request ... Can you login to share.ez.no and then click the checkbox at the top of your original post near the title? It is the box with the checkbox inside. It turns green when you have clicked it correctly.

Doing this indicates your question has been solved.

Thanks again for your continued support!

Take it eZ!

Cheers,
Heath

expandshrink

You must be logged in to post messages in this topic!

36 542 Users on board!

Forums menu

Proudly Developed with from