NC Version 15.0.2.0
OS Ubuntu 16.04.6
PHP 7.0.33-0ubuntu0.16.04.3
accounts are used at public computers, sometimes user forget to log out. to prevent data theft, session timeout and login cookie lifetime is regulated in config.php:
expected behavior:
after browser is closed, reopened and navigated to cloud, NC will promt for login
actual behavior: after browser is closed, reopened and navigated to cloud, user is still logged in and cloud is fully useable without logging in again.
A local cookie is used to store information about a valid session in the browser. You should make sure that this cookie is deleted once the browser is closed. Additionally it might be a good idea to browse in private mode by default on a public computer.
Sure, I encourage my users to log out after every session, especially when they are using public computers. But we all know there are human errors… I just try to harden security a bit
Yes, maybe. My session times out after 5 min, which is consistent with
'session_lifetime' => 60*5,
but remembers the session for 5 minutes after browser closing.
In a business environment when you close the browser and reopen you should have to log back in and not have to remember to clear a cookie. I want it to always ask for password always after stated time. How can this be done, this should be default or it is bad security practice