the session in my roundcube never expired after logged in, nothing happened after the expire time. Next is my setting in main.inc.php.
$rcmail_config['keep_alive'] = 300;
$rcmail_config['min_keep_alive'] = 60;
$rcmail_config['session_lifetime'] = 10;
Is there something wrong in the setting? What should i do with it?
#1 - session_lifetime should be greater than keep_alive/60 ... your is equal
#2 - normally the session does not expire because the keep_alive request is sended before the session expires.
thanks for reply.
but in my setting keep_alive/60 is 5, less than session_lifetime
I'm also having the same problem. I installed Roundcube 0.3.1 and my Session never Expired. So, after i installed Roundcube 0.2 stable surprisingly this session is also not Expired .:o
I'm not changed the Config on both 0.3.1 and 0.2:
$rcmail_config['session_lifetime'] = 10;
$rcmail_config['min_keep_alive'] = 60;
$rcmail_config['keep_alive'] = 60;
I've tried the [PATCH] Add option to avoid un-necessary updates to the session table.
But no use at all,
Finally, I saw the session table in the Database which keep's updating 'Changed' field (every 1 min). I think that's why the session never expired.:(
Please open a ticket @ trac.roundcube.net.
IMO, the current behavior is not what admins/users expect. The session will never time out due to check recent requests. I think automatically fired requests should not renew the session.
Here is a small plugin which should do the job. There is one disadvantage I can't solve. If check for recent messages is triggered manually then it does not be considered as a human activity. There is no way I see to detect a difference between automatically fired and manually fired check recent requests.
Just create a folder 'session_timeout' in plugins dir and save the code in there as session_timeout.php. Don't miss to register the plugin.
/**
* Session timeout on human inactivity
*
* @version 1.0 - 22.02.2010
* @author Roland 'rosali' Liebl
* @website http://myroundcube.googlecode.com
* @licence GNU GPL
*
**/
/**
* Usage: http://mail4us.net/myroundcube/
*
**/
class session_timeout extends rcube_plugin
{
public $task = '?(?!login|logout).*';
function init()
{
$this->add_hook('startup', array($this, 'startup'));
}
function startup($args)
{
$rcmail = rcmail::get_instance();
if($args['action'] == "keep-alive" || $args['action'] == 'check-recent'){
if(!empty($_SESSION['keep_alive']) && ((time() - $_SESSION['keep_alive']) / 60) > $rcmail->config->get('session_lifetime')){
rcube_sess_destroy(session_id());
$rcmail->output->redirect(array('_task' => 'logout'));
}
}
else{
$_SESSION['keep_alive'] = time();
}
return $args;
}
}
?>
Should we make it have a user option to enable/disable this plugin?