Session Timeout & Remember Me
There are two settings in LiquidFiles that control how long a user can stay logged in for — Session Timeout & Remember Me.
A session in a browser sense is what keeps the user logged into the site. When a user visits the LiquidFiles front page (any page really), a session cookie will be set if one isn't already set that will uniquely identifiy this browser for the rest of the session. If we don't configure any timeouts, the session cookie will be kept by the browser until the browser application shuts down or is terminated.
You can easily test this by logging into LiquidFiles, shutdown your browser and next time you access LiquidFiles, you will be asked to login again.
If we want to be able to stay logged in between browser sessions, even if the browser restarts, there's also the Remember me function:
If the user ticks the checkbox for "Remember Me" when logging in, a persistent cookie is set by LiquidFiles that will have a lifetime of 2 weeks on default. This means that for the next 2 weeks, whenever this browser visits LiquidFiles, the browser will be automatically logged in.
The way to test this is to login to LiquidFiles with Remember me checked, restart the browser (without logging out) and when you access LiquidFiles again, you will still be logged in.
Logout
When you logout, what will happen is that any session and persistent cookie will be deleted and this browser will be logged out, both from the current session and any Remember me cookies.
Configuring Session Timeout
You can configure a Session Timeout in Admin → Configuration → Settings:
The way that the session timeout works is that it will log a user our after this many minutes of inactivity. The default value is 60 minutes.
When uploading a file, this counts as "being active" so uploading a file that takes 4 hours will still work and won't log the user out until 60 minutes after the 4h upload (assuming no other activity after the upload).
Downloading a file does not count as "being active". This is because the download is handled directly by the web server and does not need any interaction after it's started. So if a user initiates a download that takes 4h to complete and they browse to a different page after 2h (with a 60 minute session timeout), they will be logged out and have to login again. The download will continue uninterrupted regardless if the user stays logged in or not.
Configuring Remember Me
If you look at the screenshot above, you can also see the Remember Me configuration. It has 3 values:
- Disable: Don't enable the "Remember Me" checkbox.
- Enable for 2 weeks: Enable the "Remember Me" checkbox and when a user selects it during login, a permanent cookie will be set with lifetime of two weeks.
- Enable with No Limit: Enable the "Remember Me" checkbox and when a user selects it during login, a permanent cookie will be set with no expiration.
Please note that the two week life time is two weeks from when that particular login happened. After two weeks it will expire, regardless of activity during those two weeks.
Why Doesn't Session Timeout Override Remember me?
If a user has enabled Remember Me when they login, the session timeout will be disabled.
Some people assume the opposite and that if you set a Session Timeout, it should logout the user regardless of Remember Me after the session has expired.
The reason why Remember Me overrides the Session Timeout is that if it was the other way, the Remember Me cookie would not function at all. If what you want is to always require Session Timeout, you can disable the Remember me cookie but if you want to give the option to your users to be logged in beyond the current browser session, the Remember Me cookie must override the Session Timeout.
From a strict technical stand point, what would happen if both the session timeout was enabled and the user has logged in with the Remember me cookie enabled — when the session timed out, they would be redirected to the home page, which would see the Remember me cookie and log the user right back in again.
The default values tries to balance convenience with security that matches the requirement for most customers. In a typical company, your local users have personal PCs and other personal devices that have strong local security. The browser is then very protected inside the personal device. The computer is typically also always logged in to the corporate network with constant access to all available files in network shares and so on.
Permitting users to enable Remember me and stay logged in for long periods of time then makes sense and is similar in security to always being logged in to the corporate network.
For those situations when a user do login from an unsecured device, not selecting Remember Me and being logged out on default after an hour means that there's limited exposure should a user forget to log themselves out.