https://sourceforge.net/p/phpmyadmin/bugs/4877/2015-07-10T01:37:23.353000ZRecent changes to 4877: auto-redirect to login page after timeout2015-07-10T01:37:23.353000Z2015-07-10T01:37:23.353000ZRyan Murphyhttps://sourceforge.net/u/murftown/https://sourceforge.netc3a6119dd41c5dff16338af268add1edfaa964b2

<div class="markdown_content"><p>I also get logged out quite frequently when I use phpmyadmin at work. I don't know what my php.ini session timeout setting says but I'll check. I agree with the idea of defaulting to longer, or possibly just using the value of the php setting to automatically configure the phpmyadmin setting (use ini_get).</p> <p>Hugues' idea of using ini_set to prolong the session seems good! I don't know if that is one of the settings you can change at runtime.</p> <p>I understand that the docs are giving the security advice of having the session not be too long. Maybe it could ask the user the first time it comes up, and mention the warning then?</p></div>

2015-05-20T08:59:28.844000Z2015-05-20T08:59:28.844000Zhttps://sourceforge.nethttps://sourceforge.net0b7ed41e138be4ab3bc11c86ada7ccfa4b154c00

<div class="markdown_content"><p>just fixed it</p></div>

2015-05-10T21:11:00.446000Z2015-05-10T21:11:00.446000ZHugues Peccattehttps://sourceforge.net/u/tithugues/https://sourceforge.neta422efceb1240ee202773b52abd21a90ed75cd75

<div class="markdown_content"><p>Marc,<br /> Could we imagine to get the session.gc_maxlifetime by ini_get?</p></div>

2015-05-01T13:47:37.086000Z2015-05-01T13:47:37.086000ZMarc https://sourceforge.net/u/mokraemer/https://sourceforge.net93b8c2c5ea30e4356df90c482ec9794176ed80f6

<div class="markdown_content"><p>there is one more thing with this automatic redirect:<br /> if you have more than one open window of phpmyadmin - which is my default, the other windows "close" even if you do queries on the others, so the cookie and the php-session do not expire.</p> <p>If you don't check your other windows &amp; relogin the one where the session was ended by js, the php session is closed &amp; all other windows don't work any more due to changed session-id.</p> <p>For you as a background: when I'm preparing queries in applications, I open a few tables in different browser tabs, to have the table structure of all used tables side by side. After that I determine which collums to select, what to join and how based upon the indeces. I think this is a very common way of accessing the databases.</p></div>

2015-04-29T14:03:27.649000Z2015-04-29T14:03:27.649000ZMarc https://sourceforge.net/u/mokraemer/https://sourceforge.nete3b99701c4bbe49e24d40311f746636e0e6688ec

<div class="markdown_content"><p>hey, I'm still not speaking about changing the logout time itself, but only the automatic redirect to the login page, which eleminates all query results. For this, I see no reason.<br /> Here we are speaking about phpmyadmin - an application which is used by professionals - mostly on a fixed computer with screen-lock. In the rare circumstances where a public available terminal is used, the user will surely close all browsers, tabs etc. And since on these terminals you can't be sure a keylogger is installed, you should never do this.</p></div>

2015-04-29T10:15:12.902000Z2015-04-29T10:15:12.902000ZMarc Delislehttps://sourceforge.net/u/lem9/https://sourceforge.netffea3398e9f72fcbb2caa3bf5a7aa8e0ab40808b

<div class="markdown_content"><p>Session is used for many things; the most important of them is probably our protection token.</p></div>

2015-04-28T19:59:19.378000Z2015-04-28T19:59:19.378000ZOlaf van der Spekhttps://sourceforge.net/u/olafvdspek/https://sourceforge.net119a00ecae24560244a84f95836093459ba81cff

<div class="markdown_content"><p>I meant to not require the PHP session data.. What's stored there anyway?</p></div>

2015-04-28T19:49:43.350000Z2015-04-28T19:49:43.350000ZMarc Delislehttps://sourceforge.net/u/lem9/https://sourceforge.net132126fa43e64290c85f3653b13212def56958cd

<div class="markdown_content"><p>In /setup we have this verification: "Login cookie validity should be set to 1800 seconds (30 minutes) at most. Values larger than 1800 may pose a security risk such as impersonation."</p> <p>So it seems logical to follow our own security suggestion, in the default value of LoginCookieValidity. I know that default values cannot please everyone, but we try to set them to the best value for the majority of users.</p></div>

2015-04-28T19:19:07.034000Z2015-04-28T19:19:07.034000ZOlaf van der Spekhttps://sourceforge.net/u/olafvdspek/https://sourceforge.net57884436b2f5f845fd2fc359742d28b3a089b677

<div class="markdown_content"><p>What'd be the disadvantage of defaulting to a day, a week or even longer?</p> <p>Currently a user would have to change two values instead of one (in php.ini).</p> <p>Can't the 'session' be restored even if the PHP session data is lost?</p></div>

2015-04-28T19:12:24.586000Z2015-04-28T19:12:24.586000ZMarc Delislehttps://sourceforge.net/u/lem9/https://sourceforge.net7411e41d7d0339c1e08d0a7cea8ca9ff652ca194

<div class="markdown_content"><p>Olaf,<br /> you are probably referring to the default value of the LoginCookieValidity directive. According to libraries/config.default.php, this value of 1440 seconds was chosen to match php.ini's same default value for session.gc_maxlifetime. This also has a value of 1440 in the suggested php.ini for production, in PHP 5.3 and 7.0 (see php.ini-production).</p> <p>We have no way of knowing what is the value of session.gc_maxlifetime for most users, so we used the proposed default value of php.ini.</p></div>