On 07/12/2012 03:27 AM, Patrycja Suchomska wrote:
Dear XWiki Users,

I've got a question regarding automatic logout after a certain amount
of time. In this thread I've learned that I need to change
MyPersistentLoginManager.java to enable auto logout:

The problem is that it is located in xwiki-platform-oldcore, so I
presume it is deprecated?

In the current Xwiki HEAD I've found these XML files, but I couldn't
find anything related to auto-logout. AFAIK it is not documented yet.

Any suggestions, what should I do? Changing session-timeout in
WEB-INF/web.xml doesn't help.

Any help will be appreciated.

The default MyPersistentLoginManager handles two types of logins:

- "remember me" logins sets timed cookies valid for a configurable amount of time, see https://github.com/xwiki/xwiki-platform/blob/master/xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/user/impl/xwiki/MyPersistentLoginManager.java#L232

- session logins valid until the user closes the current browsing session (this used to mean "browser restart", but at least some browsers have a "restore previous session" behavior that can make it harder to kill a browsing session)

Reading from the setMaxAge method, there's a configuration parameter that you can set to change the default session timeout. Specifically, edit WEB-INF/xwiki.cfg and add this line:


That says how many days a login is valid, so 0.02 days is almost 30 minutes. Adjust according to your needs.

The problem is that those cookies are set only when logging in explicitly, so if a user logs in and then actively browses the site, in 30 minutes he's going to be logged out, and this isn't what people want most of the time.

If you dare modify the sources, then what would be needed to have a proper "inactive timeout" auto-logout, is to change com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(SecurityRequestWrapper, HttpServletResponse, XWikiContext) so that it calls this.persistentLoginManager.rememberLogin(request, response, username, password) at the end of the if (this.persistentLoginManager != null) block.

To remove the "session login" functionality, you should override login.vm to change the "remember me" checkbox into a hidden input that's always true. See http://platform.xwiki.org/xwiki/bin/view/DevGuide/Skins#HHowtooverrideaSkin for information on skin overrides.
Sergiu Dumitriu

users mailing list

Reply via email to