SE PHP Session duration
Hi, it appears that the login session expires in about 2 weeks which is very annoying having to log in all the time. Do any of you have a solution for this? I wouldn't want to keep inactive sessions forever too, but maybe there is a simple way to check if session expires soon and if user visits the website to just extend it for another 2 weeks?
    • 1
    Donna A caution. Having sessions like that can be a security risk. It is very easy these days to hijack a user's session. It happened to me at another script and due to the session not expiring that day, it caused the hacker to be able to log in and do his wonders as admin. It wasn't a fun experience at all. I will ask the team about the session issues as I would actually like a setting to allow it to expire much, much sooner for security purposes. So, perhaps a setting for admin to control it more so that those not concerned for possible security issues could set it longer and those that want to lock it down can set it shorter.
      • 1
      Stepan SE already has a feature "Admin Reauthorization" which should solve this problem, at least for login to admin panel. I'm not sure how this is a security risk, as attacker will not always get the session id seconds before session expires. What if he gets session id and there is still at least 1 hour left on that session? It's already enough time to cause some harm. So if someone can hijack a session through XSS or any other method, there is not going to be any difference if it expires in 1 hour or 1 year, they can just change the email on account and reset the password through email, that easy and only need few minutes.

      It also comes down to convenience, if someone gets logged off they may not want to bother logging back in every 2 weeks, and we loose users.

      A setting like this to control the session duration would be great, and maybe a way to set a different value for admins/moderators vs regular users.
        • 1
        Donna Yes I know of the admin setting. I was thinking more of the general setting. Perhaps we can improve this in a future version but I'll need to ask the team.

        Regarding users not wanting to log in, I explain the issue on my author site and they are aware of the need to log in again. I do use the script on my site. :)

        However, each webmaster has different needs which is why SE is a great script as we are in control of so many things and can set them how we want them. To me, this would be another good setting to have.
          • 1
          Donna I've added both suggestions for our team to consider.
          • 1
          gs ==>"...this would be another good setting to have"
          Yes, a setting.

          Although I see Stepan's point, I didn't realize the default was 2 weeks. For me I'd be going the other end of this - making it a few hours or a day at most.

          What's more crucial for me (which SE already informed me they wouldn't be incorporating into Core, but recommended hiring a 3rd-Party Dev to modifiy core) is to limit the #logins per User. Monetization is not as good if 1 User can share his/her account with as many others as they wish :(
            • 1
            Donna [185918,gs] lol and thank you
            • 0 1 vote
            • 1
            gs [231316,Donna] ==>" Remind me about this suggestion next week please."

            Reminding :)
            • 0 1 vote
            • 1
            gs @donna
            Will do. BTW by #logins per User I meant per ML.
            • 0 1 vote
            • 1
            Donna I would also go the other way. The other script I used has the setting and it's defaulted at 15 minutes which I find just right. It doesn't log them out if they are on the site but it does if they have left the site. Now that I'm on SE for my site (one of them, the other soon) these sort of things are easier to see.
            • 0 1 vote
            • 1
            Donna We won't? Remind me about this suggestion next week please. I agree that we should but don't know if that would make things heavy.
            • 0 1 vote