Session Timeout

Is there a secret configuration option to allow me to limit how long a user remains signed-in?

I would like users to be signed-out automatically after 30 minutes of inactivity.

Thanks for any pointers.

Yes, I thought we had a site setting for this but it is hard to search for since the terms are so generic. @sam can you remember?

It is not configurable at the moment, we would need to add that as a feature.

I do think we should have this as a site setting…

I’m concerned that a site admin is going to set this too low and make it impossible for anyone to write a post or get any reading done.

A bit more information:

We use Discourse for an employee message board / forum. All sign-ins are managed through the the documented single sign-on integration. Because employees typically use shared computers, we have a commonly recurring issue where people write posts attributed to the wrong (but currently signed-in) user.

My request for session time-out would be negated if I could have our SSO integration also sign people out. They are good about signing out of our primary intranet website. So far I’ve not been able to understand the sign-out discussion in the SSO thread.

Any help toward session time out or user sign out would be greatly appreciated. Thanks.

-Justin

Wouldn’t the session be extended by both “writing a post” and “reading”?

• Drafts are saved automatically during writing / composing a post (extending the session)
• Reading sends “reading time” tracking information back too (also extending the session).

Perhaps have to be careful if a window is left active for tens of minutes / several hours sending back “reading time” info?

Have you considered setting the browsers to clear cookies on exit?

Also, SSO can log a user out. You need to POST or PUT or something to a /admin/ endpoint.

Yes this is my strong pref and it is totally doable. When you sign out from sso you can make an API call to sign out the user.

Agree but it is a bit tricky.

We need to allow for “maximum session age” and “maximum session idle” … “maximum session idle” is way more interesting cause it will not cause all sorts of nasties like logging you out mid compose.

But, “maximum session idle” is a bit more expensive to implement. Additionally we need to make this work for “logout strict” and non “logout strict” so that gets tricky as well.

Overall this is can of worms I would like to hold off on opening.

I think this is a better avenue of approaching the problem…

I’m on board. Let’s close this thread if you like and I’ll start a new one seeking help with the SSO sign-out capability. Thanks for helping me focus on a good approach.

I use a site-wide reverse proxy rule that keeps my users signed in.

Before every request (every 3 minutes) we verify if the session still valid. If it isn’t valid anymore (30 mins expire) we remove our cookies and discourse cookies too.

Could this approach help?

This sounds perfect, but a site-wide reverse proxy rule is over my head. I Googled some resources to learn more. Thank you.

In the model where SSO does the Discourse log-out, how would I disable email notifications to the user and reenable them when they SSO-in again? I want to make sure that people who can’t SSO also can’t get notified of changes on the Discourse site.

What’s the default duration for session timeout in Discourse?

I’d also like to request this feature to expose the session duration setting in Discourse Site Settings.

So I’m having some problems with this too .

Would the team be open to a SiteSetting that changes the _t cookie Expires from 20 years to Session?

I support a site setting for this yes.

Nice.

We’re having problems where people are sharing PCs on the company and posting on each other account .

Perhaps there should be a “Stay signed in” checkbox?