Web session not expiring

Dridhas · September 19, 2019, 2:24pm

Hello all,

Good day and hoping this finds you well.

just want to know if its normal for the web session to not expire?

this is the configuration ive got on my config.php:
‘session_lifetime’ => 60 * 60 * 1,
‘session_keepalive’ => false,
‘remember_login_cookie_lifetime’ => 60 * 60 * 24 * 7,

now, im using rainloop via web browser, but if i leave the tab open for more than 12 hours it will still be active.

ideally i would like to have it to log you off automatically after 8 hours of inactivity.

Can you please advise?

thanks in advance!

Dridhas · September 30, 2019, 3:56pm

Anyone else having this issue?

Dridhas · November 12, 2019, 5:42pm

is this normal?

anon9582441 · November 12, 2019, 7:18pm

The session remains active if the browser has the page loaded.

Dridhas · November 12, 2019, 8:18pm

so, correct me if im wrong… if i leave the tab with my nextcloud open it will never expire?

even after inactivity?

Regards!

anon9582441 · November 13, 2019, 11:58am

Yes probably since there is JavaScript running checking for notifications etc.

Dridhas · November 13, 2019, 4:46pm

so, what would be the need for session expiration if it actually does not expire?

anon9582441 · November 13, 2019, 6:34pm

If you close the browser then the session will expire so that the server doesn’t keep sessions forever.

You’re looking for auto lock or auto logout. Not sure that exists.

Frankie_Heck · November 21, 2020, 6:57am

I had the same issue and I still wonder, that this security behavior still exists in nextcloud 20.0.1! It is a security leak for me, when a session never ends! To disable long running session you might to set those 3 parameters in your /config/config.php like this:

'session_lifetime' => 3600,
'session_keepalive' => false,
'remember_login_cookie_lifetime' => 0,

The main problem seems to be the cookie lifetime (parameter remember_login_cookie_lifetime). I changed it to zero. This ensures, that I need to login myself again, whenever I close the browser. You can change it’s value to same as session_lifetime to ensure, that the session does not die on browser crashes, but still dies on session timeout.

I hope it helps.

drankinatty · September 25, 2023, 12:22am

I can confirm this is still an issue on 27.1.1. With Firefox 115esr, the session for nextcloud never times out. The php.ini setting for session lifetime remains in the default for 8.1 of 24 minutes, e.g. session.gc_maxlifetime = 1440. Even so, I can sit down in the morning and the session in nextcloud is still active. Maybe a recent change triggered a regression?

One other possible contributing factor is I also have the IOS nextcloud app in use for syncing files. That access by my account may be what is responsible for nextcloud thinking my session is still active even though the browser and IOS app would have different session IDs. If it is just checking whether there was activity by the account, then that may explain the behavior. I haven’t looked at the source in nextcloud, so I have no idea what logic is being used, these are simply a few ideas based on what I see happening and possible factors…