Team Password Manager features a timeout setting to configure how long you want inactive sessions to last.
A session is the period that begins when a user signs in until she logs out of Team Password Manager. An inactive session is a session in which the user is not interacting with the software.
Team Password Manager can keep track of inactive sessions and force the user to sign in again if a predefined period of time has expired (the timeout). This is done in two ways:
- At the PHP session level: if an inactive session lasts more than the timeout, whenever the user tries to access the software, it will log her out.
Setting the timeout
To set a timeout, sign in as "Admin" or "IT", go to "Settings" in the top menu and then select the "Timeout" option. You can change the timeout with the "Edit timeout" button:
- The timeout is specified in seconds. Example: 600 = 10 minutes
- The minimum timeout you can set is 60 seconds, the maximum 999999 seconds (more than 11 days).
- Once you enter a timeout value, the effect is immediate.
- The timeout is the same for all the users.
- Since Team Password Manager is a PHP application, there are some settings that affect this timeout. The software will present you these settings and tell you if you need to change them. See the next section.
- Sessions in Team Password Manager finish when: 1) the timeout value expires, or 2) the user quits the browser (not just closes the tab), or 3) the user logs out.
PHP ini settings that affect timeout
There are 2 PHP ini settings that affect the timeout operation. Team Password Manager will tell you their values and, if you want to control timeout from the software, tell you if you need to change them. They are:
- session.gc_maxlifetime: Specifies the number of seconds after which data will be seen as garbage and cleaned up. This setting is often used as a timeout for inactive user sessions, but since it uses PHP's garbage collector you can't rely on it for an exact timeout. This is why Team Password Manager implements it own session timeout. This value should be at least as large as the one you specify in the timeout field.
- session.cookie_lifetime: Defines how long a session will last, inactive or not. If 0 it means "until the browser is closed". It should be 0 if you intend to manage the timeout with the timeout setting in Team Password Manager.
Note: remember to restart Apache if you change one of these settings in php.ini.
Here we present 3 ways to configure timeout that we think cover all the possibilities:
- Short timeout (minutes): you should set the timeout in Team Password Manager to the number of minutes you desire (example: 1200 for 20 minutes) and check if you need to change session.gc_maxlifetime. session.cookie_lifetime should be 0. Team Password Manager will tell you if these settings need changes.
- High timeout (days, don't care): you can either manage the timeout with Team Password Manager or with PHP. In both cases you'll need to set a large value for session.gc_maxlifetime and session.cookie_lifetime should be 0.
- Fixed time sessions: in this case you want sessions to last a fixed amount of time, even if they're active. This is not very practical since the user may be kicked out in the middle of working with the software, but it can be configured. To set this kind of timeout, do this: 1) set the timeout in Team Password Manager to 0 (yielding timeout control to PHP), 2) set session.gc_maxlifetime and session.cookie_lifetime to the number of seconds you want the sessions to last.