Session Timeout & Remember Me
Overview
There are several settings in LiquidFiles that control how long a user can stay logged in for. These are configured in Admin → Configuration → Settings → User & Password:
A session in a browser sense is what keeps the user logged into the site. When a user visits any LiquidFiles page, a session cookie will be set if one isn't already set that will uniquely identify this browser for the rest of the session. If we don't configure any timeouts, the session cookie will be kept by the browser until the browser application shuts down or is terminated.
You can easily test this by logging into LiquidFiles, shutting down your browser and next time you access LiquidFiles, you will be asked to login again.
If we want to be able to stay logged in between browser sessions, even if the browser restarts, there's also the Remember Me function:
If the user ticks the checkbox for "Remember Me" when logging in, a persistent cookie is set by LiquidFiles. This means that whenever this browser visits LiquidFiles within the configured expiration period, the browser will be automatically logged in.
The way to test this is to login to LiquidFiles with Remember Me checked, restart the browser (without logging out) and when you access LiquidFiles again, you will still be logged in.
Logout
When you logout, any session and persistent cookie will be deleted and this browser will be logged out, both from the current session and any Remember Me cookies.
Session Timeout
You can configure the Session Timeout in Admin → Configuration → Settings → User & Password. The session timeout is an inactivity timeout — users will be logged out after this many minutes of inactivity. The default value is 360 minutes. Set to 0 for no timeout.
When uploading a file, this counts as "being active" so uploading a file that takes 4 hours will still work and won't log the user out until 360 minutes after the upload completes (assuming no other activity after the upload).
Downloading a file does not count as "being active". This is because the download is handled directly by the web server and does not need any interaction after it's started. So if a user initiates a download that takes 4h to complete and they browse to a different page after 2h (with a 360 minute session timeout), they will be logged out and have to login again. The download will continue uninterrupted regardless if the user stays logged in or not.
The Session Timeout also affects logins through Outlook Web. For technical reasons, Outlook Web requires persistent cookies as opposed to session cookies. If you set a timeout, the functionality is identical. If you set this to 0 for no timeout, the Outlook session will be set to a 7 day inactivity timeout.
Session Timeout Warning
When a session timeout is configured, users will see a warning popup 2 minutes before their session expires. The popup includes a countdown timer and an "I'm still here" button that extends the session without requiring the user to reload the page.
If the user does not interact with the warning, the session will expire and the popup will change to show that the session has expired. At this point, the page content is hidden behind an overlay to prevent any data from being visible on an unattended screen.
The session timeout warning only applies to regular session-based logins. Users who logged in with Remember Me (persistent cookies) will not see the warning, as their sessions have much longer expiration periods.
Re-authentication Window
The Re-authentication Window setting controls how long after a session expires users can re-authenticate directly from the expired session popup, without being redirected to the login page. This allows users to continue their work without losing any unsaved data, form inputs, or page state.
When a session expires and the re-authentication window is active, the popup will show a password field, a TOTP code field, or an SMS verification option depending on how the user is configured to authenticate:
- TOTP users: Users with TOTP (Time-based One-Time Password) configured will be prompted to enter their authentication code.
- SMS users: Users with SMS authentication configured will be able to request an SMS code and enter it to re-authenticate.
- Password users: All other users with a local password will be prompted to enter their password.
- SAML/SSO users: Users who authenticated via SAML or SSO cannot re-authenticate from the popup and will be redirected to the login page.
The default value is 120 minutes. Set to 0 to disable re-authentication entirely — users will always be redirected to the login page when their session expires.
If the re-authentication window expires (the user does not re-authenticate within the configured time), they will be shown a message that re-authentication is no longer available and will need to log in again from the login page.
Persistent Cookie Expiration (Remember Me)
The Persistent Cookie Expiration setting controls the Remember Me function. When a user selects Remember Me when logging in, a persistent cookie will be set to keep their browser logged in for this many days. If you set this to 0, users will not be able to use the Remember Me function. The default value is 7 days.
Please note that this is an inactivity timeout. If you set this to 7 days, a user who selects Remember Me will be logged out after 7 days of inactivity.
Session Limit
The Session Limit setting controls how many sessions a user can be logged in at any one time. By default, users are permitted 2 active sessions. This means a user can for instance be logged in from both their desktop and their phone at the same time. If a user tries to login from a third device, the oldest session will be logged out.
Admin Session Timeout
The Admin Session Timeout requires admin users to re-authenticate before accessing admin pages. This is a separate timeout from the regular session timeout and provides an additional layer of security for administrative functions. Even if a user is still logged in with an active session or a Remember Me cookie, they will need to re-enter their password before they can access any admin pages. This protects against scenarios such as an unattended browser session being used to make administrative changes, or a compromised user session being escalated to admin access.
When the Admin Session Timeout triggers, the admin user will be presented with a re-authentication prompt:
The configuration for the Admin Session Timeout is available in Admin → Configuration → Settings as can be seen in the screenshot above, and has the following possible values:
- Blank: Disabled, no admin re-authentication required.
- 0: Re-authentication required once per session (never expires).
- Number: Re-authentication required after that many minutes of inactivity. The default is 30 minutes.
Why Doesn't Session Timeout Override Remember Me?
If a user has enabled Remember Me when they login, the session timeout will be disabled.
Some people assume the opposite and that if you set a Session Timeout, it should logout the user regardless of Remember Me after the session has expired.
The reason why Remember Me overrides the Session Timeout is that if it was the other way, the Remember Me cookie would not function at all. If what you want is to always require Session Timeout, you can set the Persistent Cookie Expiration to 0 to disable Remember Me. If you want to give the option to your users to be logged in beyond the current browser session, the Remember Me cookie must override the Session Timeout.
From a strict technical standpoint, what would happen if both the session timeout was enabled and the user has logged in with Remember Me enabled — when the session timed out, they would be redirected to the home page, which would see the Remember Me cookie and log the user right back in again.
The default values try to balance convenience with security that matches the requirement for most customers. In a typical company, your local users have personal PCs and other personal devices that have strong local security. The browser is then very protected inside the personal device. The computer is typically also always logged in to the corporate network with constant access to all available files in network shares and so on.
Permitting users to enable Remember Me and stay logged in for long periods of time then makes sense and is similar in security to always being logged in to the corporate network.
For those situations when a user does login from an unsecured device, not selecting Remember Me and being logged out after 360 minutes of inactivity means that there's limited exposure should a user forget to log themselves out.