Admin Session Lifetime

[jayps]

Hi there,

 

This topic has been addressed here, but the thread just kind of died...

https://requests.whmcs.com/responses/force-client-admin-logout-after-a-set-period-of-time

 

Does anyone know of away - aside from modifying php.ini or .htaccess to set the session lifetime for WHMCS Admin session lifetime? For example, if a user is logged in but inactive for a certain period of time OR the user closes their browser and goes to WHMCS Admin area again, they must be logged out and forced to log in again.

 

This holds some obvious benefits for security and provides some peace of mind.

A good example of this functionality in action would be Joomla. The default session lifetime is 15mins (adjustable, of course) and if I am inactive for that time period or I close my browser, I am logged out and I have to log back in.

 

I can't seem to access the link in the forum post I mentioned above, so does anyone know if this feature has been or will be implemented?

[Infopro]

The link was pointing to an old forum thread, where Feature Requests used to be posted. It was the same post, so I've removed the link to avoid further confusion.

[deltatech]

I found a solution that has been working for me on 5.3.x and I am now testing it on version 6 and it seems to be working there too. I have been able to walk away from my computer for 3-4 days and come back and click a link and I am still logged in.

 

I will gladly provide the code if anyone wants it. Here is the basics of what you have to do.

 

create a small 1px by 1px transparent gif and save it. Write a simple small php file that starts with a header saying that it is ouputting a gif like header("Content-Type: image/gif"); this file is only about 6 lines long, pretty simple then...

 

I am using the v4 template so, in the /admin/templates/v4/ directory you will find head.js and header.tpl.

 

Immediatly after the body tag in header.tpl put in an image tag with the src= your php file you created above. Then in head.js add this inside the document.ready just above the closing });

 

window.setInterval("renewSession()", 60000);

 

Then just below the closing }); of the document ready add the renewSession function

 

function renewSession() {
   document.getElementById('renewSession').src='/sessionrenew.php?xyz=' + Math.floor(Math.random() * (999999 - 1)) + 1;
}

 

The way this works is, when the page is first loaded, the php file which outputs like a gif is output to the browser. it is invisable. Then when the entire doc is loaded, the document.ready function starts the interval timer which fires every 60 seconds calling the php file which keeps loading that gif. That is all that is needed to keep the session alive.

 

Along with that, I edited the php.ini for the site and set session.gc_maxlifetime = 9600 which is probably an overkill and this may not have been necessary but I did it anyway because it keeps the client area from timing out so easily. It still dies when the user closes their browser.

 

And just in case you need it, here is the sessionrenew.php script

 

 

<?
//WARNING, this will puke if there are any empty lines after the ending ? >
foreach ($_COOKIE as $cookie => $value) {
   if (stripos($cookie, 'WHMCS') === 0 and strlen($cookie) >= 13) {
       session_name($cookie);
       if(!session_id()) {
           session_start();
       }
   }
}
header("Content-Type: image/gif");
readfile($_SERVER['DOCUMENT_ROOT'] . '/images/spacer.gif');

?>