Team Password Manager features a timeout setting to configure how long you want inactive sessions to last.
A session is the period that begins when a user signs in until she logs out of Team Password Manager. An inactive session is a session in which the user is not interacting with the software.
Team Password Manager can keep track of inactive sessions and force the user to sign in again if a predefined period of time has expired (the timeout). This is done in two ways:
- At the PHP session level: if an inactive session lasts more than the timeout, whenever the user tries to access the software, it will log her out.
- At the Javascript level (if it is active): if a browser windows is open, Team Password Manager will autologout using Javascript automatically after the predefined timeout.
If Javascript is not active, only the first case applies. In this case, if a browser window is open and the timeout expires, the user will still be able to see the output. It is only when she tries to interact with the software that it will force the logout.
In the second case, with Javascript active, when the timeout expires the software will automatically force a logout, presenting the sign in screen instead of still showing the output of the previous screen.
Setting the timeout
To set a timeout, sign in as "Admin" or "IT", go to "Settings" in the top menu and then select the "Timeout" option. You can change the timeout with the "Edit timeout" button:
Some notes:
- The timeout is specified in seconds. Example: 600 = 10 minutes
- The minimum timeout you can set is 60 seconds, the maximum 999999 seconds (more than 11 days).
- Setting the timeout to 0 or less than 60 means to disable timeout control from Team Password Manager. In this case the timeout will be controlled by PHP settings (see next section) and the Javascript autologout feature will be disabled.
- Once you enter a timeout value, the effect is immediate.
- The timeout is the same for all the users.
- Since Team Password Manager is a PHP application, there are some settings that affect this timeout. The software will present you these settings and tell you if you need to change them. See the next section.
- Sessions in Team Password Manager finish when: 1) the timeout value expires, or 2) the user quits the browser (not just closes the tab), or 3) the user logs out.
PHP ini settings that affect timeout
There are 2 PHP ini settings that affect the timeout operation. Team Password Manager will tell you their values and, if you want to control timeout from the software, tell you if you need to change them. They are:
- session.gc_maxlifetime: Specifies the number of seconds after which data will be seen as garbage and cleaned up. This setting is often used as a timeout for inactive user sessions, but since it uses PHP's garbage collector you can't rely on it for an exact timeout. This is why Team Password Manager implements it own session timeout. This value should be at least as large as the one you specify in the timeout field.
- session.cookie_lifetime: Defines how long a session will last, inactive or not. If 0 it means "until the browser is closed". It should be 0 if you intend to manage the timeout with the timeout setting in Team Password Manager.
Note: remember to restart Apache if you change one of these settings in php.ini.
Timeout scenarios
Here we present 3 ways to configure timeout that we think cover all the possibilities:
- Short timeout (minutes): you should set the timeout in Team Password Manager to the number of minutes you desire (example: 1200 for 20 minutes) and check if you need to change session.gc_maxlifetime. session.cookie_lifetime should be 0. Team Password Manager will tell you if these settings need changes.
- High timeout (days, don't care): you can either manage the timeout with Team Password Manager or with PHP. In both cases you'll need to set a large value for session.gc_maxlifetime and session.cookie_lifetime should be 0.
- Fixed time sessions: in this case you want sessions to last a fixed amount of time, even if they're active. This is not very practical since the user may be kicked out in the middle of working with the software, but it can be configured. To set this kind of timeout, do this: 1) set the timeout in Team Password Manager to 0 (yielding timeout control to PHP), 2) set session.gc_maxlifetime and session.cookie_lifetime to the number of seconds you want the sessions to last.