Web session not expiring

Hello all,

Good day and hoping this finds you well.

just want to know if its normal for the web session to not expire?

this is the configuration ive got on my config.php:
‘session_lifetime’ => 60 * 60 * 1,
‘session_keepalive’ => false,
‘remember_login_cookie_lifetime’ => 60 * 60 * 24 * 7,

now, im using rainloop via web browser, but if i leave the tab open for more than 12 hours it will still be active.

ideally i would like to have it to log you off automatically after 8 hours of inactivity.

Can you please advise?

thanks in advance!

Anyone else having this issue?

is this normal?

The session remains active if the browser has the page loaded.

so, correct me if im wrong… if i leave the tab with my nextcloud open it will never expire?

even after inactivity?

Regards!

Yes probably since there is JavaScript running checking for notifications etc.

so, what would be the need for session expiration if it actually does not expire?

If you close the browser then the session will expire so that the server doesn’t keep sessions forever.

You’re looking for auto lock or auto logout. Not sure that exists.

I had the same issue and I still wonder, that this security behavior still exists in nextcloud 20.0.1! It is a security leak for me, when a session never ends! To disable long running session you might to set those 3 parameters in your /config/config.php like this:

'session_lifetime' => 3600,
'session_keepalive' => false,
'remember_login_cookie_lifetime' => 0,

The main problem seems to be the cookie lifetime (parameter remember_login_cookie_lifetime). I changed it to zero. This ensures, that I need to login myself again, whenever I close the browser. You can change it’s value to same as session_lifetime to ensure, that the session does not die on browser crashes, but still dies on session timeout.

I hope it helps.