On 07/12/2012 03:27 AM, Patrycja Suchomska wrote: The default MyPersistentLoginManager handles two types of logins: - "remember me" logins sets timed cookies valid for a configurable amount of time, see https://github.com/xwiki/xwiki-platform/blob/master/xwiki-platform-core/xwi… - session logins valid until the user closes the current browsing session (this used to mean "browser restart", but at least some browsers have a "restore previous session" behavior that can make it harder to kill a browsing session) Reading from the setMaxAge method, there's a configuration parameter that you can set to change the default session timeout. Specifically, edit WEB-INF/xwiki.cfg and add this line: xwiki.authentication.cookielife=0.02 That says how many days a login is valid, so 0.02 days is almost 30 minutes. Adjust according to your needs. The problem is that those cookies are set only when logging in explicitly, so if a user logs in and then actively browses the site, in 30 minutes he's going to be logged out, and this isn't what people want most of the time. If you dare modify the sources, then what would be needed to have a proper "inactive timeout" auto-logout, is to change com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(SecurityRequestWrapper, HttpServletResponse, XWikiContext) so that it calls this.persistentLoginManager.rememberLogin(request, response, username, password) at the end of the if (this.persistentLoginManager != null) block. To remove the "session login" functionality, you should override login.vm to change the "remember me" checkbox into a hidden input that's always true. See http://platform.xwiki.org/xwiki/bin/view/DevGuide/Skins#HHowtooverrideaSkin for information on skin overrides. -- Sergiu Dumitriu http://purl.org/net/sergiu/