User session timeout

Hi all,

I would like to install a user session timeout but could not figure
out how to do it.

A post, in 2003 at
http://lists.fsck.com/pipermail/rt-users/2003-November/018798.html,
points to the SetupSessionCookie file
(share/html/Elements/SetupSessionCookie) but how do you refresh the
cookie at each request?

Thanks,
Thierry Thelliez

just comment “if ( !$cookies{$cookiename} ) {” and closing “}”, then
clean mason cache and it should work.On 10/25/07, Thierry Thelliez thierry.thelliez.tech@gmail.com wrote:

Hi all,

I would like to install a user session timeout but could not figure
out how to do it.

A post, in 2003 at
http://lists.fsck.com/pipermail/rt-users/2003-November/018798.html,
points to the SetupSessionCookie file
(share/html/Elements/SetupSessionCookie) but how do you refresh the
cookie at each request?

Thanks,
Thierry Thelliez


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

SAVE THOUSANDS OF DOLLARS ON RT SUPPORT:

If you sign up for a new RT support contract before December 31, we’ll take
up to 20 percent off the price. This sale won’t last long, so get in touch today.
Email us at sales@bestpractical.com or call us at +1 617 812 0745.

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

Best regards, Ruslan.

Thanks.

One more question: would you know how to set the length of the
timeout? I need 30 minutes.

ThierryOn 10/24/07, Ruslan Zakirov ruz@bestpractical.com wrote:

just comment “if ( !$cookies{$cookiename} ) {” and closing “}”, then
clean mason cache and it should work.

Although this is a super old posting, I add this because I was looking for an answer here too. Unfortunately this setting is still not easily configurable in the global config and in general quite confusing.

In RT 4.4.4 you have to edit (untested for this file: or copy it as a local override to /opt/rt/local/html/Elements/SetupSessionCookie):

/opt/rt/share/html/Elements/SetupSessionCookie

And add this below $SessionCookie => undef

$Expires => ‘+8h’

This will set your session timeout to 8h. But be aware, RT doesn’t reflect that in the browser cookies expiry time, these are good as long as the browser is open. You have to run a regular cron job, to actually clean up expired sessions:

/opt/rt/sbin/rt-clean-sessions --older 1H

This command will clean up all sessions that haven’t been used in more than 1h past the expiry date (8h as set above). It won’t affect sessions that are actively used.

This concept is a little weird, as rt-clean-sessions without the --older options doesn’t do anything, and as far as I can tell from tests, the lowest older time you can use, is 1 hour (1H).

Does the config option for AutoLogoff accomplish this?
https://docs.bestpractical.com/rt/4.4.4/RT_Config.html#AutoLogoff

1 Like

I checked the code and seems like this might do the job a little easier.

The rt-clean-sessions cronjob is still needed or is cleanup done on every user action?

Too bad googling for Session timeout doesn’t bringt it up. May be putting a link in the wiki on related pages will help?

I’ll test it and create a wiki page, so it’s easier to find searching for terms like “session timeout”.

PS: Thanks knation, that was a quick reply. :slight_smile: Sometimes posting in old threads obviously helps to clear things up. That’s a positive new experience for me.

Glad to help!

The rt-clean-sessions cronjob is still needed or is cleanup done on every user action?

I looked at the code very quick and it looks like the old session will still be stored in the database but the user will still be required to create a new session by loggin in again

if ( $last_update && ( $now - $last_update - RT->Config->Get('AutoLogoff') ) > 0 ) {
            InstantiateNewSession();
 }

So yes, I do believe you need to clean out your sessions table in the DB. But just to remove clutter not to ensure the user is properly logged out.

I’ll test it and create a wiki page, so it’s easier to find searching for terms like “session timeout”.

Definitely a good idea!

1 Like

AutoLogoff seems to do the job without the cronjob. Actually makes sense, when it’s called AutoLogoff.

Added a new wiki page at https://rt-wiki.bestpractical.com/wiki/SessionTimeout

1 Like