On 07/12/2012 03:27 AM, Patrycja Suchomska wrote:
Dear XWiki Users,
I've got a question regarding automatic logout after a certain amount
of time. In this thread I've learned that I need to change
MyPersistentLoginManager.java to enable auto logout:
http://lists.xwiki.org/pipermail/users/2011-December/021368.html
The problem is that it is located in xwiki-platform-oldcore, so I
presume it is deprecated?
https://github.com/xwiki/xwiki-platform/blob/master/xwiki-platform-core/xwi…
In the current Xwiki HEAD I've found these XML files, but I couldn't
find anything related to auto-logout. AFAIK it is not documented yet.
https://github.com/xwiki/xwiki-platform/tree/master/xwiki-platform-core/xwi…
Any suggestions, what should I do? Changing session-timeout in
WEB-INF/web.xml doesn't help.
Any help will be appreciated.
The default MyPersistentLoginManager handles two types of logins:
- "remember me" logins sets timed cookies valid for a configurable
amount of time, see
https://github.com/xwiki/xwiki-platform/blob/master/xwiki-platform-core/xwi…
- session logins valid until the user closes the current browsing
session (this used to mean "browser restart", but at least some browsers
have a "restore previous session" behavior that can make it harder to
kill a browsing session)
Reading from the setMaxAge method, there's a configuration parameter
that you can set to change the default session timeout. Specifically,
edit WEB-INF/xwiki.cfg and add this line:
xwiki.authentication.cookielife=0.02
That says how many days a login is valid, so 0.02 days is almost 30
minutes. Adjust according to your needs.
The problem is that those cookies are set only when logging in
explicitly, so if a user logs in and then actively browses the site, in
30 minutes he's going to be logged out, and this isn't what people want
most of the time.
If you dare modify the sources, then what would be needed to have a
proper "inactive timeout" auto-logout, is to change
com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(SecurityRequestWrapper,
HttpServletResponse, XWikiContext) so that it calls
this.persistentLoginManager.rememberLogin(request, response, username,
password) at the end of the if (this.persistentLoginManager != null) block.
To remove the "session login" functionality, you should override
login.vm to change the "remember me" checkbox into a hidden input that's
always true. See
http://platform.xwiki.org/xwiki/bin/view/DevGuide/Skins#HHowtooverrideaSkin
for information on skin overrides.
--
Sergiu Dumitriu
http://purl.org/net/sergiu/