Session Timeout Setting Ignored

We have an application that is using the native Concrete users functionality to manage usernames, passwords & sessions. We have the inactivity logout setting set to 1800 seconds (30 minutes), however, Concrete seems to be ignoring that (i.e. our users are being logged out sometimes in as little as 5 minutes of inactivity. Has anyone else experienced this and perhaps have a fix for it?

Hi @ESCOIT Check and see if the server date & time correct and syncing.

Thank you for the response. It appears that both the server and Concrete are set to the correct time zone and are reporting the same time so it doesn’t look like that’s the culprit.

I’ve experienced the same. The session timeout settings have never had an effect for us, on v8.x or v9.x.

These are the settings under System & Settings → Automated Logout → Automatically log out users who are inactive for {x} seconds or more.

My primary goal is to extend the session to 2+ hours.

Well it’s good to know that it’s not just us. Hopefully someone here will have a solution for us both!

Hi @ESCOIT - this might be due to IP fixation. Users these days sometimes have shifting IP addresses for a variety of reasons - or you might have your site behind caching like CloudFlare or CloudFront and that can also shift IPs for the same user session, causing the session to terminate.

Naturally disabling IP fixation is essentially disabling a security feature, but in a pinch it will probably do the trick:

Located here:

If you’re using CloudFront, we have a package here that can help stay up to date on the CloudFront IPs so you wouldn’t need to disable IP fixation in theory:

Hope that helps!

I would have never thought to look at that, however, after making the change it does indeed seem to have fixed the problem! We don’t use CloudFlare or CloudFront but we do use SiteLock which I think does something similar. Thank you so much for the tip!

In my instance, there are no inbound our outbound proxies like Cloudflare.

To add some context, we are using custom session variables set in a controller and those losing their value prior to what is set in System & Settings → Login & Registration → Automated Logout.

I’ve gone so far as to try to override config values session.max_lifetime and session.cookie.cookie_lifetime, but no luck.