This topic is relative to this one: https://elgg.org/discussion/view/2646147/force-logout-after-user-idle-timeout
In an Elgg 2.2 installation the session never expires although I´ve done all the above steps, disabled all 3td party plugins etc, so I´ve created a funtion to force logout:
function isLoginSessionExpired() {
if (!elgg_is_logged_in()) {
return false;
}
//The user was logged out
if ($user->last_login > $user->prev_last_action ) {
return false;
}
//Timeout in seconds
$login_session_duration = 15*60;
//$current_time = time();
$user = elgg_get_logged_in_user_entity();
if(isset($user->prev_last_action)){
if((time() - $user->prev_last_action) > $login_session_duration){
return true;
}
}
return false;
}
And I call it from start.php of my plugin theme:
if (isLoginSessionExpired()){
system_message(elgg_echo("cloudtheme:session_expired"));
forward(elgg_add_action_tokens_to_url("action/logout"));
}
BUT I´ve two problem:
Any suggestion to solve the problems or improve the code?
info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by RaĆ¼l Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.
- ihayredinov@ihayredinov
ihayredinov - 0 likes
- Javier@chamus
Javier - 0 likes
- ihayredinov@ihayredinov
ihayredinov - 0 likes
You must log in to post replies.I think last_action attribute is what you need, not prev_last_action.
Dig through the token renewal code, there might be a way to log the user out when token is no longer refreshed via ajax
I tried with last_action but doesn't refresh when you load / reload the page.
I´ve take a look to _elgg_csrf_token_refresh function and I dont see a way to logout the user, maybe invalidating session_token?, is there a way to invalidate it?
Thanks Ismayil.
Logging out invalidates session token.
I suppose you could use JavaScript to set a timeout and execute a logout action after 15min.