How to expire session after x minutes

[digennaik]

Dear all,

We are running Roundcube 0.9.1 Stable on Red Hat Enterprise Linux Server release 6.1 (Santiago) with PHP 5.3.3 and Apache/2.2.15.

For security reasons( users forgetting logging out of the email account ) we would like to have Roundcube logout the user after x minutes period of inactivity.

As per an old thread in this forum, it has been mentioned that this behavior is not possible. The thread is located http://www.roundcubeforum.net/index.php?topic=9507.0

I've tried setting the 'session_lifetime' to the number of minutes we want after which the user has to logout due to session expiry, but that hasn't helped.

Can anyone point me to the right direction in order to achieve this ? Any input is much appreciated.

[digennaik]

Dear all,

In order to achieve this we've tried the following,

Added the following in config/main.inc.php at the very end of the file,

$rcmail_config['session_lifetime'] = 1;

The above directive did not exist by default in the Roundcube version we're using. Sadly, this hasn't helped.

We are sure there must be a way to auto-timeout the session primarily for security reasons. With the default functionality, the session of the user never timeouts i.e the user never gets logged out from the Webmail which we believe is a huge potential security risk.

Anyone has any suggestions to achieve this or has implemented this through a plugin ( we tried finding out but to no avail ) ?

[ABerglund]

Have you checked how often the users have their Inbox refresh set? i.e, if they are checking foir new messages once per minute, the session is refreshed at that check.

If you set the minimum refresh time to say, 15 minutes, and the session to 10, would that work?

[alec]

That would not work, at least not in git-master version. I'd try with session_lifetime=0 and refresh_interval>120