Seeking Clarity on Login Timeout with Wappler and PHP

Wappler General Need Help
1

My app is PHP based and follows the standard Wappler login procedure using the Security Provider and Security Login server action steps (shown below).

I would appreciate answers to the following questions to be sure I understand how this all works with regard to login timeout…

  1. Is it true to say that if there is no activity by my app user after the time set by the session.cookie_lifetime variable in my php.ini file, then the login credentials will no longer be valid and further calls to server actions protected by the Security Restrict action step will fail?

  2. If the above is true, what type of action needs to no longer be taking place to define “no activity by my app user”?

Thanks!
Antony.

sl

sp
sp847×233 5.22 KB

2

  1. Yes

  2. Can you clarify please?

3

Yes… So is the timer reset if another server action is called?

4

Do you mean that another protected page is loaded in the browser (another tab) and something happens there?

5

Let’s take this as an example. If session.cookie_lifetime is set to the default of 1440 seconds, will my server actions stop working:

  1. 1440 seconds after the user logs in.

  2. 1440 seconds after the last time a server action was called.

  3. 1440 seconds after some other event (if so, what event is that?)

6

When you don't use the remember me option, as in your example:

a cookie won't be created.
I.e. the login will be kept for the current session (or until the browser is closed)

In your case, when the session time is 1440s then the user will be logged out after 1440s of inactivity. So if after that time passed, they try to refresh the page, navigate to another protected page it etc. they will be redirected to the login page defined in the security enforcer on the page.
If they try to run a server action after 1440s of inactivity, it won't run and will return an unauthorized error.

7

I don’t understand your last post Teodor! :frowning:

Can you explain it another way please?

Thank you! :slight_smile:

8

Antony,
In your case your users will be logged out after 1440s of inactivity. Don’t know how to explain in another way.

9

Okay, that is clear, thank you!

So the key question now is:

What should I change so that they are logged out after 28,800 seconds of inactivity?

Do I just change session.cookie_lifetime and session.gc_maxlifetime to be 28,800?

10

Yes, you need to change session.gc_maxlifetime to 28800 in your php.ini

11

Should I change session.cookie_lifetime as well?

12

No.

13

Why not?

14

The default value of session.cookie_lifetime is 0 in php.ini
Also, you want to change the session timeout so you set it using session.gc_maxlifetime.
Please refer to PHP manual:
https://www.php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime

15

Thanks for your help Teodor, I’ll take a look at that! :slight_smile:

16

Hello there @Teodor

Thanks for your help on this back in September… I’m finally getting around to implement it!

Can you please clarify these questions for me…

  1. If I use the Remember option in the Login Action, will all my server actions still work even if there is no user activity for much more than 1440 seconds?

  2. If the answer to Question 1 is Yes, what value should I be putting in the Remember field?

Thanks!
Antony.

17

I think i already answered this question a few months back:

Just enter a value, for example 1 or use a checkbox on the page with a value of 1 where users can select whether to stay logged in or not, after their browser is closed.

18

Hi there Teodor…

Thanks for your response. Yes, you did answer the question, and you will recall that in the following posts I said that i did not understand the response that you have just re-posted.

So please, just to be clear, is the answer to my question 1 yes, or no?

Many thanks!
Antony.

19

Antony, check my reply please!

20

Hello again @Teodor

I’m really sorry, but I hope you can understand that your reply doesn’t make sense to me.

You often quite rightly ask on the forum here, “what do you want to achieve”… so let’s look at it in that way!

I want to implement a PHP login system which gives me the following functionality:

  1. If the user logs in and leaves the browser window open, all server actions will function correctly for the following 8 hours, even if the app is not used for several hours of time within the 8 hour time window.

  2. If the user logs out via a logout button I provide which does the Logout server action, they have to login in again.

  3. If the user closes the browser tab, then they have to log in again.

My question is:

What combination of

  • Remember field in the login server action
  • Setting of session.gc_maxlifetime variable in php.ini file
  • Any other setting

Should I use to achieve this?