Session Timeout


(Justin Dennis) #1

Is there a secret configuration option to allow me to limit how long a user remains signed-in?

I would like users to be signed-out automatically after 30 minutes of inactivity.

Thanks for any pointers.


Force re-authentication after N days?
Decrease default session timeout
(Jeff Atwood) #2

Yes, I thought we had a site setting for this but it is hard to search for since the terms are so generic. @sam can you remember?


(Sam Saffron) #3

It is not configurable at the moment, we would need to add that as a feature.


(Jeff Atwood) #4

I do think we should have this as a site setting…


(Kane York) #5

I’m concerned that a site admin is going to set this too low and make it impossible for anyone to write a post or get any reading done.


(Justin Dennis) #6

A bit more information:

We use Discourse for an employee message board / forum. All sign-ins are managed through the the documented single sign-on integration. Because employees typically use shared computers, we have a commonly recurring issue where people write posts attributed to the wrong (but currently signed-in) user.

My request for session time-out would be negated if I could have our SSO integration also sign people out. They are good about signing out of our primary intranet website. So far I’ve not been able to understand the sign-out discussion in the SSO thread.

Any help toward session time out or user sign out would be greatly appreciated. Thanks.

-Justin


(Dean Taylor) #7

Wouldn’t the session be extended by both “writing a post” and “reading”?

  • Drafts are saved automatically during writing / composing a post (extending the session)
  • Reading sends “reading time” tracking information back too (also extending the session).

Perhaps have to be careful if a window is left active for tens of minutes / several hours sending back “reading time” info?


(Kane York) #8

Have you considered setting the browsers to clear cookies on exit?

Also, SSO can log a user out. You need to POST or PUT or something to a /admin/ endpoint.


(Sam Saffron) #9

Yes this is my strong pref and it is totally doable. When you sign out from sso you can make an API call to sign out the user.


(Sam Saffron) #10

Agree but it is a bit tricky.

We need to allow for “maximum session age” and “maximum session idle” … “maximum session idle” is way more interesting cause it will not cause all sorts of nasties like logging you out mid compose.

But, “maximum session idle” is a bit more expensive to implement. Additionally we need to make this work for “logout strict” and non “logout strict” so that gets tricky as well.

Overall this is can of worms I would like to hold off on opening.


(Jeff Atwood) #11

I think this is a better avenue of approaching the problem…


(Justin Dennis) #12

I’m on board. Let’s close this thread if you like and I’ll start a new one seeking help with the SSO sign-out capability. Thanks for helping me focus on a good approach.


(Rafael dos Santos Silva) #13

I use a site-wide reverse proxy rule that keeps my users signed in.

Before every request (every 3 minutes) we verify if the session still valid. If it isn’t valid anymore (30 mins expire) we remove our cookies and discourse cookies too.

Could this approach help?


(Justin Dennis) #14

This sounds perfect, but a site-wide reverse proxy rule is over my head. I Googled some resources to learn more. Thank you.


(Andy Rothfusz) #15

In the model where SSO does the Discourse log-out, how would I disable email notifications to the user and reenable them when they SSO-in again? I want to make sure that people who can’t SSO also can’t get notified of changes on the Discourse site.


#16

What’s the default duration for session timeout in Discourse?

I’d also like to request this feature to expose the session duration setting in Discourse Site Settings.


(Rafael dos Santos Silva) #17

So I’m having some problems with this too :sadpanda:.

Would the team be open to a SiteSetting that changes the _t cookie Expires from 20 years to Session?


(Jeff Atwood) #18

I support a site setting for this yes.


(Rafael dos Santos Silva) #19

Nice.

We’re having problems where people are sharing PCs on the company and posting on each other account :laughing:.


(Dean Taylor) #20

Perhaps there should be a “Stay signed in” checkbox?