TechQA.

How can I extend the default session duration in Concrete 5.7?

1.3k views Asked by At

How can I extend the default duration of sessions in the Concrete5 CMS (v5.7)? It feels like I have to login again way too frequently.

session concrete5 concrete5-5.7
Original Q&A
1

There are 1 answers

0
Simon E. On

One way I discovered to achieve this is by modifying the session-handling settings inside /application/config/concrete.php:

return [

   //----------------------- SUPER LONG SESSIONS -------------------------
   // We want to extend the session cookie to last for 4 months
   // so that users are not bugged for their password all the time.
   // WARNING: This does reduce security and potentially increase the chance of 
   //          session-hijacking but if you're willing to make the trade-off, here goes

   'session'           => [
       'name'         => 'CONCRETE5',
       'handler'      => 'file',

       // We'll use our own specific save_path so that others on our 
       // server don't garbage-collect our sessions
       'save_path'    => DIR_APPLICATION . '/files/tmp/sessions',

       // 40 days (in seconds). This is a timeout value.
       // If session is not used for 40 days, it is likely to be garbage collected
       'max_lifetime' => 3456000,           

       'cookie'       => [
           'cookie_path'     => false,

           // This defaults to 0 which is a session cookie
           // (ends when browser is closed)
           // Extending to last 4 months (in seconds). Cookie will span multiple 
           // browser restarts up until this max value, and then user will be forced 
           // to login again (yes, even in the middle of a session, beware!)
           'cookie_lifetime' => 10510000,    

           'cookie_domain'   => false,
           'cookie_secure'   => false,
           'cookie_httponly' => true
       ]
   ],

   // Browser user-agents and IP addresses may change within that time
   // so we will disable strict checking for those
   'security' => [
       'session' => [
           'invalidate_on_user_agent_mismatch' => false,
           'invalidate_on_ip_mismatch' => false
       ],
   ]

];

Sidenote:
The specific groups a member is a part of are stored in the session and only refreshed when logging in, or when certain permissions are changed in the Dashboard. When this occurs, Concrete5 automatically updates the timestamp in /application/config/generated_overrides/concrete.php, but you can also do this manually if you want to force users' permissions to be refreshed mid-session:

return array(
    ...
    'misc' => array(
        'access_entity_updated' => 1453869371,
    ),

Related Questions in SESSION

Related Questions in CONCRETE5

Related Questions in CONCRETE5-5.7

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions