Question:
I’m trying to figure out when a user is being logged out, for instance after a time of inactivity. Now it seems sometimes my session is lasting for ever. Even when closing my browser and restarting it, I’m still logged in.
I used to think it would be connected to my cookie of PHPsession, but the first one isn’t present and the second one has a timestamp in the past.
Partly I’m curious how this works. Party I want to be able to control when users are forced to re-authenticate themselves…
I don’t think SilverStripe automatically logs users out after inactivity currently, so as long as the session persists, a user could stay logged in indefinitely. If your PHP sessions have a max age after which they get deleted, that would effectively log users out, and I think by default if a user logs out on one device they are logged out everywhere. Here is an old example for automatic logout you could adapt (perhaps as an extension on Controller).
Out of the box on SS4 a user should be logged out when their session ends, because the PHPSESSID cookie will expire. However, browsers like Chrome do their damndest to never end a session so it might not happen when you’d expect.