Both the idle and absolute timeout values are highly dependent on how critical the web application and its data are. Common idle timeouts ranges are 2-5 minutes for high-value applications and 15-30 minutes for low risk applications.
When a session expires, the web application must take active actions to invalidate the session on both sides, client and server. The latter is the most relevant and mandatory from a security perspective.
we could change the session idle timeout to 1 hour or maybe even 30min?
Sure, I'll change the default config value.
Updated. Feel free to change the default config value.
@diosmosis Looking at https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Session_Management_Cheat_Sheet.md#session-expiration
I'm also wondering, do we already have
Absolute Timeout implemented server side?
I don't think we want both, otherwise some will complain that the session shouldn't just end while they're using it.
Maybe the absolute session timeout could be set to something like 3 months?
Would then happen max 4 times a year. Any shorter absolute value be annoying indeed.
This PR implements an idle timeout, not an absolute one (the saved start time of the session updated on each request).
Not sure what happens, I set
login_session_not_remembered_idle_timeout = 30 and I log in, then it appears like I was logged in successfully but am still anonymous and then get also these warnings:
core/Session/SessionAuth.php(209): Warning - A non-numeric value encountered - Matomo 3.10.0-b3 - Please report this message in the Matomo forums: https://forum.matomo.org (please do a search first as it might have been reported already)
There is no login failure, I get forwarded to dashboard but am not logged in.
Works for me 👍 should be good to merge.