Option to end login session after idle x amount of time

scottws · May 05, 2008, 10:51:30 AM

A user recently complained about a feature he found lacking with SMF... the ability to log in and browse and terminate the log-in session by browsing away (instead of clicking Logout).

Basically what he wants to do is be able to log in, browse the site, then leave and never click the Logout link, yet be forced to log in again when he comes back.

Basically, in his mind it should be like this:

Instead of choosing minutes to stay logged in or forever, there should just be a checkbox to remember the login state. If checked, it would behave like the current "Forever" setting. If unchecked, it would allow him to browse the site and then after a certain period of session inactivity, he would in effect be logged out automatically forcing another login the next time he comes to visit.

I understand what he's referring to and this is the more common implementation of login at other sites and forums. I do think this is a better alternative to what SMF currently has for users who do not wish to use the "Forever" setting.

青山素子 · May 05, 2008, 03:36:34 PM

The thing is, with tabbed browsing it becomes a bit more difficult to track. If you browse away in one tab, and have some kind of javascript (and the user has JS enabled), you've just prematurely logged them out.

The real simple solution is to set the time you wish to stay logged in when doing the login instead of "forever".

scottws · May 05, 2008, 04:56:08 PM

If the Javascript tells the site to log out when navigating away, then yes I could see how that's a problem.

However, a huge majority of sites are a simple Remember-Login-Or-Don't checkbox and they seem to work fine with tabbed browsing.

There has to be some way to implement this. Some sort of idle session for x minutes thing.

Eliana Tamerin · May 05, 2008, 05:01:24 PM

Quote from: scottws on May 05, 2008, 04:56:08 PM
There has to be some way to implement this. Some sort of idle session for x minutes thing.

Isn't that what's available now? Only now you can select what specific length to log out with.

I love to use that for days when I have to use a certain computer that's no my own, I can just log in for the day. Otherwise, I can log in for an hour on a public computer, and forever on my own computer.

You could always make the selection of it easier, alter the layout of it and such with a bit of HTML experience. But it won't really change how the function works.

scottws · May 05, 2008, 05:17:13 PM

No, it's not really the same as what's available because as far as I know, if you select hour and are using it past one hour, you'll be logged out and have to log back in.

Other sites let you stay logged in as long as you wish, and then log you out at after some unspecified amount of time has passed since you last did something on the site.

青山素子 · May 05, 2008, 06:28:07 PM

Quote from: scottws on May 05, 2008, 05:17:13 PM
No, it's not really the same as what's available because as far as I know, if you select hour and are using it past one hour, you'll be logged out and have to log back in.

Other sites let you stay logged in as long as you wish, and then log you out at after some unspecified amount of time has passed since you last did something on the site.

Actually, the one hour part should be that. It's the timeout value. If you say "60 minutes" then you should be logged out after 60 minutes of not doing anything. If that isn't the case either I'm mistaken (it happens), is some quirk with your install, or is a bug and should be fixed.

Aleksi "Lex" Kilpinen · May 06, 2008, 05:34:04 AM

Quote from: Motoko-chan on May 05, 2008, 06:28:07 PM
Actually, the one hour part should be that. It's the timeout value. If you say "60 minutes" then you should be logged out after 60 minutes of not doing anything. If that isn't the case either I'm mistaken (it happens), is some quirk with your install, or is a bug and should be fixed.

I've actually used this very little, but seem to recall that I've had the board throwing me out after the set time limit from login, not from last action. I can be wrong ofcourse, and should pobably try if this really still happens....

EDIT:
Actually just tested. Logged in for 2 minutes, and kept on moving from thread to thread, and after the 2 minute mark it threw me out.

metallica48423 · May 06, 2008, 02:28:22 PM

to do it the other way, though, wouldn't you need to re-set the cookie on every action?

Aleksi "Lex" Kilpinen · May 06, 2008, 02:34:22 PM

Propably.

RustyBarnacle · May 06, 2008, 02:36:01 PM

The current way of doing things was a real pain in the but with the bridged portal we used to use as people couldnt set the time themselves. They were punted after an hour I think with no option to change it.

Then we switched to TP and having the option back is great, but having the inactivity logout would have been better before the switch.

scottws · May 06, 2008, 03:04:15 PM

Quote from: metallica48423 on May 06, 2008, 02:28:22 PM
to do it the other way, though, wouldn't you need to re-set the cookie on every action?

No idea. How does every other site on the Internet do it?

Thantos · May 07, 2008, 01:19:02 PM

The closest method I can think of to do this is to tie the validity of the cookie with the session expiration. So when the session expires the login cookie is no longer valid and the user must log in again.

Really though I don't see any problem with the current setup. It might be nice to allow cookies that expire on browser closing though.

News:

Option to end login session after idle x amount of time