stormtigers That's a good question. Files Gallery uses PHP sessions to handle logins, and they work in a specific way, depending on several factors, including your own PHP settings. I was looking into this while working on the pending new release, so I will write some notes here.
How PHP sessions work:
- By default, PHP assigns a session cookie in browsers which lasts until the browser "window" closes.
- By default, PHP stores session on server and assigns it a lifetime of
1440 seconds (24 minutes).
- Once the session lifetime ends, the session may (or may not) get deleted on server, depending on the server session garbage collection interval and probability.
In conclusion, this generally means that the user will get logged out if:
- The user closes the browser window.
- The user has been logged in for longer than 24 minutes.
Just to comment further on #2: The user could remain logged in for longer than 24 minutes, depending on garbage collection interval, and if there are other PHP apps using sessions. In general however, it means the user "could" get logged out after 24 minutes, regardless of activity. Read more about this here:
https://stackoverflow.com/questions/1236374/session-timeouts-in-php-best-practices/1236583#1236583
How to increase login timeout from your server PHP config options
Increase PHP options session.gc-maxlifetime and session.cookie-lifetime on your server. The first option will essentially increase the time the session will get stored on server, and the latter will assign a specific "cookie" time in browser (which means the session may also extend after the window closes and is re-opened). See this post:
https://stackoverflow.com/questions/8311320/how-to-change-the-session-timeout-in-php
Can't we increase login timeout directly from Files Gallery?
I have been looking into this while working with the new pending release, but it's quite difficult to manage this directly from Files Gallery. Not only are PHP sessions related to security, but they also inherit PHP config options specifically assigned on your server. Attempting to override your default server behavior from Files Gallery is a bit "dodgy".
In the pending new release, I have added a few lines of code, which may help to increase login time. However, the lines are commented out by default, because it's not safe to assume it's appropriate for the admin or server. I haven't been able to try them properly, because it depends on the server, but they might be useful:
// un-comment below to increase login session cookie lifetime to 24 hours (or change it)
session_set_cookie_params(86400); // seconds = 24 hours
// un-comment below to attempt to extend session timeout in browser and server
setcookie(session_name(), session_id(), time() + 3600); // default 0, means logout on browser session (window close)
ini_set('session.gc_maxlifetime', '3600'); // default '1440'
// un-comment the below to extend session cookie lifetime on each ping, if you are being logged out prematurely
setcookie(session_name(), session_id(), time() + 3600); // 3600 seconds / 1 hour (becomes arbitrary)
Why isn't login timeout extended on user activity?
This is a good question, which I was also asking. Sometimes it is, but mostly it isn't. This seems to stem from the fact that PHP sessions are created to be secure, and if a session time of 24 minutes is set, it means the user should/could be signed out after that amount of time. This was asked and discussed in another post here:
https://stackoverflow.com/questions/3791667/php-sessions-not-extending-cookie-expiration-on-each-request
.
.
.
In conclusion, login timeout is managed on your server by PHP sessions, which we can't easily or securely modify dynamically from Files Gallery. Your best bet is to: