XF 2.0 30 minute session timer?

[kaieivindm]

Hi,

Has this been changed from XF1? Was working fine for me on 1.5.16. Inactive or not using the browser in the 30 min timer, I had to log in again. But in XF2.0 I am always logged in. Is it 30 days now?

Can it be changed to behave like XF1?

Also, I've read that the admin console has 60 min session timer, but I can be gone for days and still just refresh my page and I am still logged in.

Is this normal behaviour?

 

[kaieivindm]

No one else noticing this?

 

[indepth]

Mine was NEVER only 30 minutes on XF1.5. Did you perhaps change a setting or use an add-on to make it only 30 minutes in XF1?

 

[kaieivindm]

Mine was NEVER only 30 minutes on XF1.5. Did you perhaps change a setting or use an add-on to make it only 30 minutes in XF1?

I was quite sure it was a 30 min session timer in XF ACP that I used, so after 30 min of inactivity the user had to log on again.

With XF2.0 I have been logged on with my admin user forever. And it's a keep-alive that runs ever 45 or 50 min to show for it in the logs.

I mean, I can close my browser, open after a restart and be logged in if I open the site.

A bit scary if you log in via external or not your own computer. Doubt many use log out button.

 

[Martok]

XenForo has always kept you logged in if you tick the "Stay logged in" option when you log in. It's only the ACP that requires logging in again after a period of time.

For admin accounts (and possibly staff accounts too depending on your site) I'd recommend setting up 2-factor authentication.

 

[kaieivindm]

XenForo has always kept you logged in if you tick the "Stay logged in" option when you log in. It's only the ACP that requires logging in again after a period of time.

For admin accounts (and possibly staff accounts too depending on your site) I'd recommend setting up 2-factor authentication.

Actually, I have disabled auto check for Stay logged in to avoid that part. Might clean cookies and see how it acts.

But I am still curious why ACP sends keep-alive every 45-50 min. Which means I am not being logged out after 60 min as I understand should happened.

2FA is an alternative, but won't force it just yet.

 

[indepth]

AdminCP is different, didn't realize that was your primary concern. Be interested to hear what the staff says the normal behavior should be.

 

[kaieivindm]

AdminCP is different, didn't realize that was your primary concern. Be interested to hear what the staff says the normal behavior should be.

Well both are my concern.

Doing some test on Firefox with all data, history and such cleared and go inactive for couple of hours, and a browser where I do nothing. See if I get logged our or not. "Stay logged in" is not auto checked anymore.

But ACP most.
Here is how the admin log from ACP looks like:


Is this browser related? Is it ACP keeping this one open? Whats really going on and why I am not being logged out after 60 min of inactivity? Since this keep-alive pings every 40-50 min the 60 min rule never get to run? Is that it?

 

[indepth]

It does look like the keep-alive is intended to beat the 60 minute rule and keep you logged in.

Did you try the two factor authentication someone else mentioned. I don't use it yet, but apparently you have to login every time with that? That's what I've read (complaints about) anyways.

 

[kaieivindm]

Really wonder where I can find that keep-alive setting, so either change the timer or disable it.