Administrator login/session length

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
User avatar
stingrey
Joomla! Hero
Joomla! Hero
Posts: 2756
Joined: Mon Aug 15, 2005 4:36 pm
Location: Marikina, Metro Manila, Philippines
Contact:

Re: Administrator login/session length

Postby stingrey » Wed Mar 15, 2006 6:02 pm

Darren996 wrote:Anyway, I would like to be able to change the session time out for normal users to 0 so the validated user is not timed out as long as they keep the browser open.  I would have to hack the core though cause the time() is added to the timeout value to determine cookie expiration.  Does that make sense?  If the timeout value is zero then set the cookie timeout value to zero? 

As of 1.0.8 cookies do not contain a timeout value, they will stay 'live' until the browser is closed.

However, the system will clear the session value in jos_sessions after a period of inactivity set in you global config setting.
If you need sessions to stay ative longer, than you can set the inactive value higher.



For security purposes a valid frontend logged in session, a persons browser must have the correct cookie and there must be a corresponding entry in jos_session.  Without both you will be logged out.
Rey Gigataras
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me :)
Partner, Business Development & Project Manager, Event Manager, Sports Coach :D

Darren996
Joomla! Intern
Joomla! Intern
Posts: 69
Joined: Tue Jan 17, 2006 1:21 pm
Contact:

Re: Administrator login/session length

Postby Darren996 » Wed Mar 15, 2006 6:19 pm

Oh okay.  So it's not like mod_templatechooser...  :-[

I've bumped that up to two hours but people still lose stuff.  I guess then the real issue would be that the post values need to preserved while the user is directed to the login screen and then redirected back to where ever it was they where going after a valid login. 

Bog
Joomla! Intern
Joomla! Intern
Posts: 56
Joined: Wed Mar 29, 2006 9:11 pm
Contact:

Re: Administrator login/session length

Postby Bog » Sat Apr 01, 2006 5:35 pm

I'm experiencing this problem.  It's not clear what setting has to be made in what file.

As I use a hosting provider I would prefer a solution that doesn't require they make a change on the server that would impact the performance of the server or other hosted sites.

How about a hack that toggles the session management of the backend to ne handled just like the front end?  This is a security risk I'm willing to accept, or atleast to toggle back when I'm finished some maintenance.

I have a $50 reward if someone can fix this problem, otherwise I have to choose a Joomla friendly host or a host friendly CMS (i.e. goodbye Joomla).

freelancelance
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Sat Apr 08, 2006 3:28 am
Contact:

Re: Administrator login/session length

Postby freelancelance » Sat Apr 08, 2006 4:09 am

I'm not a programmer, but couldn't a hack be designed that would simulate some sort of admin activity every 29 minutes or whatever, for as long as the admin in question chose to have it on? Thus creating a persistent admin login without compromising Joomla's security?

I'd also like to add that the "feature" of constantly being redirected to the admin login page, and then dumped at the main admin screen instead of where you left off (never mind losing the data, which is obviously a giant PITA...I'm just talking about losing your place in the admin area), is a horrible, horrible feature. Joomla has a lot of usability problems, but this one probably takes the cake. How many extra clicks have collectively been done by the user community, just finding our way back to where we were before being jerked over to the admin login page, and dumped at the main menu? A million? 10 million? And how much lost time - again, not counting the painful lost time of losing one's work...just counting all that unnecessary finding our way back to the spot we had been at. 1000 hours? 10,000 hours?

And it's been that way at least since last year at this time, so it's not like there hasn't been time to fix this horrible, horrible feature.

I want to love Joomla, a lot in fact, but it has some seriously hardcore time-wasting usability issues. The admin area, which I used to see as slick and sophisticated, strikes me more and more as unnecessarily difficult-- even obstructive.

I can't pay any money, but I would just about worship anyone who could create a hack like what I described above. Something that makes my Joomla think that I'm doing enough admin activity to keep me logged in forever...or at least as long as I want.

I guess I've been spoiled by using WordPress a lot over the past year. I didn't know how spoiled until I set up a new Joomla-based site these past couple weeks. I keep having to persuade myself not to bolt, and hoping that at some point in the not too distant future, the developer team will recognize how unnecessarily difficult the admin area can be to use. Aside from the persistent logout "feature" and the horrible redirection to the main admin page feature, the template editing setup is needlessly tedious (try tinkering with one template repeatedly, and see how much unnecessary mouse activity you do, re-navigating to that edit page each time...or just compare it to WP's template editing page), and the feature of forcing folks to "please click cancel or save changes" when they want to navigate away from an open edit page...all these things serve to create untold amounts of unnecessary clicking, mousing, and waiting for new pages to load. I just keep thinking of the thousands of hours of people's time that is wasted on all the extra steps caused by these things.

I'm sure there are explanations as to why these things are the way they are, but it doesn't change that they are serious usability issues.

User avatar
Websmurf
Joomla! Hero
Joomla! Hero
Posts: 2230
Joined: Fri Aug 19, 2005 2:23 pm
Location: The Netherlands
Contact:

Re: Administrator login/session length

Postby Websmurf » Mon Apr 10, 2006 9:23 am

freelancelance wrote:I'd also like to add that the "feature" of constantly being redirected to the admin login page, and then dumped at the main admin screen instead of where you left off (never mind losing the data, which is obviously a giant PITA...I'm just talking about losing your place in the admin area), is a horrible, horrible feature.

Have a look at this; http://dev.joomla.org/component/option, ... d,33/p,84/
Adam van Dongen - Developer

- Blocklist, ODT Indexer, EasyFAQ, Easy Guestbook, Easy Gallery, YaNC & Redirect -
http://www.joomla-addons.org - http://www.bandhosting.nl

freelancelance
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Sat Apr 08, 2006 3:28 am
Contact:

Re: Administrator login/session length

Postby freelancelance » Tue Apr 11, 2006 3:49 pm

Thanks for the heads up, Websmurf. That sounds awesome. I'd still like to never have to login again, but if I'm going to have to, session saving will make a big difference.

mrwebexpert
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Mon Mar 29, 2010 11:56 am

Re: Administrator login/session length

Postby mrwebexpert » Fri May 21, 2010 12:55 pm

Hi Everybody,
I have a question, If I increase the session timeout length from 15 minutes to 120 minutes then what effects would be on memory?

Is it will utilize more memory resources after increase timeout length of the session? And would I also need to increase the memory limit after increasing session timeout length?

User avatar
SkyBlade
Joomla! Apprentice
Joomla! Apprentice
Posts: 46
Joined: Tue Mar 24, 2009 9:06 pm
Location: St. Louis, MO, USA

Re: Administrator login/session length

Postby SkyBlade » Fri Sep 20, 2013 5:00 pm

I know this is a really old thread, but there is a very simple solution that I stumbled across long ago. Open one browser tab to an article. Open another tab to do your work. as long as that article stays on its edit page, you'll remain logged in. Too bad I didn't see this 6 years ago to tell you then. :)


Return to “Security - 1.0.x”

Who is online

Users browsing this forum: No registered users and 4 guests