Thread

Just updating- aside from a 0 session length reading as ‘false’ and thus falling back to the default session lengths, it can also result in the session being expired when anything other than cookies only is used (see If session has expired, delete it and set session data to GUEST)- hence the solution is going to be a bit more complicated than simply allowing the length to be set to 0.

I appreciate the work being done on this but I have an impatient client who wants this fixed asap. Any idea of an ETA on a fix?

Just to be clear- we’re not treating it as a bug, but as a feature request we’d like to get in.  And it’s unlikely to make it into the next release.

We’ll likely add new configuration settings.  Simply setting the cookie to 0 won’t/can’t work if sessions are also being used.

I can walk you through a temporary hack, if that will do the trick.  But a change in the released code is still some ways away.  If you do need a temporary fix- are they using cookies only or cookies+sessions?  (Cookies only is a simple fix).

A walk-through would be most welcome. I can set it up for cookies or cookies+sessions. Just let me know.

OK- in system/expressionengine/libraries/Sessions.php around line 1285:

protected function _setup_session_length()
 {
  $u_item = $this->EE->config->item('user_session_ttl');
  $cp_item = $this->EE->config->item('cp_session_ttl');

  $this->cpan_session_len = ($cp_item) ? $cp_item : $this->cpan_session_len;
  $this->user_session_len = ($u_item) ? $u_item : $this->user_session_len;

change to

  $this->cpan_session_len = ($cp_item !== FALSE) ? $cp_item : $this->cpan_session_len;
  $this->user_session_len = ($u_item !== FALSE) ? $u_item : $this->user_session_len;

All that does is allow setting the config variable session length to 0 to really be zero. 

Now- if you are using cookies only?  When you close the browser, the cookie should expire.  However, if you set it to cookies+sessions?  It’s going to expire your session immediately and log you out and just generally not work- hence the bit where it’s more complicated.

Does that help?

Thanks for the response. I changed the code as instructed, cleared browser cache, cleared EE cache and tried it. Unfortunately I get the same result. After logging in as a user, quitting the browser, re-opening the browser and trying the access the login page again it still shows me logged in. I tried in Safari, Chrome and IE.

Do you have ‘Auto-login’ selected?  If so, it’s going to log you back in.  Otherwise- when I close the browser w/config settings:

$config['cp_session_ttl'] = 0;
$config['user_session_ttl'] = 0;

I’m logged out when I re-open the browser and revisit either the frontend or the backend.  But you will need to remove the auto-login option.  Otherwise it’s going to log you in automatically based on the remember me setting (which is good for a year).