Page 1 of 1
Secure Area Duration setting not honored?
Posted: Sat Jan 18, 2025 9:37 pm
by ztank
Hi, I am on HESK 3.5.2 and I have set the Secure Area Duration to 9 hours but I am being forced to retype my credentials either as an admin or an agent a lot earlier (15 minutes maybe?) probably for inactivity. Is there an option to avoid to be forcefully logged out for inactivity?
Thanks.
Re: Secure Area Duration setting not honored?
Posted: Sun Jan 19, 2025 8:50 am
by Klemen
Session timeout is controlled in PHP settings, not in Hesk.
You will need to modify your PHP configuration, most likely the session.gc_maxlifetime parameter. Also, check that session.cookie_lifetime is either 0 or equal to the gc_maxlifetime parameter.
You could try this hack to stay logged in:
viewtopic.php?t=5857
Or, keep help desk open on the "Tickets" (main) page, with the "Auto reload page" checked in the top right corner. The auto reload time can be set in your Profile > Edit Profile > Preferences tab.
Re: Secure Area Duration setting not honored?
Posted: Sun Jan 19, 2025 8:40 pm
by ztank
Hello @Klemen,
after your explanation I researched about session.gc_maxlifetime and session.cookie_lifetime params and found out that there are different places/files where they can be set.
I think that .htaccess is the best place for me and I added 2 lines to it:
Code: Select all
php_value session.gc_maxlifetime 86400
php_value session.cookie_lifetime 86400
Previously in the php.ini file they were 1440 (24 minutes) and 0 respectively.
I just tested it with shorter values (60 and 60) and my session expired after just 60 seconds of inactivity.
I expect to have a 1 day long of session if I use 86400 for both of them.
It looks a pretty clean approach to me.
Thoughts?
Thanks.
Edit:
It seems it is also necessary for me to add also this other line in .htaccess
Code: Select all
php_value session.cache_expire 86400
to have it successfully extend the session to 1 day.
Re: Secure Area Duration setting not honored?
Posted: Mon Jan 20, 2025 4:24 pm
by Klemen
If it works for you, that's fine. Just note that all the Hesk sessions will be 24 hours long, so if you have a lot of customers, it would mean a lot of temporary files on the server from their sessions.
It's probably not an issue unless you have thousands of daily users on low-end hardware, though.
Re: Secure Area Duration setting not honored?
Posted: Sat Jan 25, 2025 8:52 am
by ztank
Actually It does not seem to work...
I have been trying to extend the session duration with no success.
I have these 3 lines in my .htaccess which is sitting in the same path where HESK 3.5.2 installation lives
Code: Select all
php_value session.gc_maxlifetime 172800
php_value session.cookie_lifetime 172800
php_value session.cache_expire 172800
but nothing... I keep being kicked out of my sessions both as an admin or an agent, both in firefox and forefox incogninto .
Here's the phpinfo() output session section:
Anything else I can try within php.ini fine tuning besides the suggestion you already gave with the refresh.php trick?
Thanks
Re: Secure Area Duration setting not honored?
Posted: Sat Jan 25, 2025 9:05 am
by Klemen
This looks good to me.
I would try with the refres.php next if this doesn't work.
Re: Secure Area Duration setting not honored?
Posted: Sat Jan 25, 2025 9:19 am
by ztank
Wouldn't it the refresh.php trick extend the session indefinitely?
I don't want it to happen, just would like to make it a little longer than the default 1440 (24 minutes). That's my goal.
Thanks.
Re: Secure Area Duration setting not honored?
Posted: Sat Jan 25, 2025 10:33 am
by Klemen
No, the refresh.php trick would extend the session only for as long as your browser is open. If you close the browser (Hesk), it has no effect.