Logouts after ~60 Minutes

Hi Folks!

Several users complain a sporadic sign out of the session after about 60 Minutes and have to re-enter the password to decrypt passwords in both web gui and browser extension.

Version: 2.12
passbolt.php session config:
// Session configuration. 'Session' => [ 'defaults' => 'php', // Session timeout in minutes. 'timeout' => 720, 'ini' => [ 'session.gc_maxlifetime' => 43200, 'session.cookie_lifetime' => 43200 ] ],
Sessions
Browser Plugin Version: 2.12.2
Browsers affected: Chrome (latest) and Firefox (latest)

How can we debug that issue?
Thanks
Tobias

Hello,

From what I remember I think you also need to increase the gc_maxlifetime in php.ini:

Please note that If "remember until I log out’ is selected, then the session will be kept active until the system gets in idle mode (think, screensaver is on) or the browser is closed or a manual logout is done.

Hi Remy,

thanks for your quick reply! gc_maxlifetime is set to 86400:
[root@passbolt ~]# grep gc_maxlifetime /etc/php.ini
session.gc_maxlifetime = 86400

Do you have more information on “idle mode”? Is it a browser function that resets the session lifetime/cookie and browser-dependant?

Thanks
Tobias

It is a functionality of passbolt, implemented to balance security / usability. It is not something you can deactivate I think. It’s been reported that some users do not want this behavior, so we’ll try to make it a setting in the future.

OK, thank you. When exactly will this “idle mode” be triggered? We have users reporting that they have to re-enter the password just a few minutes after they entered the password initially.

Thanks
Tobias

Hello Tobik,

  /**
   * Keep session alive if user's system is active for last 15 min
   * @returns void
   */
  this.keepAlive = function() {
    const idleInterval = 15 * 60; // detection interval in sec: 15 minutes
    browser.idle.queryState(idleInterval).then( async (idleState) => {
      if (idleState === 'active' && this._masterPassword !== null) {
        await UserService.keepSessionAlive(this);
      }
      this.setKeepAliveTimeout();
    });
  };

This is how the code works at moment: it checks every 15 minutes if the browser is idle, using this browser functionality reserved for extensions, which returns "locked" if the system is locked, "idle" if the user has not generated any input for a specified number of seconds, or "active" otherwise.

So if there is no input, the extension will not try to keep the session alive, and will just let it timeout. So if you have a long session default normally you would need to fail several checks to get logged out.

Note also if the browser window is closed (even if the browser application is not closed) you will get logged out right away. Maybe there is an issue when people use multiple windows (as in instead of tabs) and close one, i will need to double check this.

We welcome your tests and feedback to fine tune the behavior.

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.