Make inactive Account logout

[kojomba]

So i did set up NextcloudPI on my Raspberry Pi 3b+, everything seems working fine. Only the issue that i have is that my account doesn't logout even if i'm inactive (talking about the webui)... so i did turn on my laptop (The next day) and did go to the webinterface and i was still logged in....
Can you guys fix this, or add an option that it will logout after X minute inactive.

Because this is not secure..

Thank you

[nextcloud-bot]

GitMate.io thinks possibly related issues are #9816 (enhancement: merging accounts), #6226 (Email accounts colors), #10859 (Purge LocalStorage on logout), #8817 (Admin Account Restriction), and #4909 (make changes to users.).

[JanDragon]

Good Idea and very Important.

[MorrisJobke]

cc @rullzer @blizzz @ChristophWurst

[ChristophWurst]

IMO this is rather a feature than a bug. As long as there is an open browser window we try to keep the session alive (heartbeat requests) and additionally the login is active/valid for two weeks.

Ref

server/core/js/js.js

Lines 1378 to 1400 in 82a5833

	function initSessionHeartBeat() {
	// interval in seconds
	var interval = NaN;
	if (oc_config.session_lifetime) {
	interval = Math.floor(oc_config.session_lifetime / 2);
	}
	interval = isNaN(interval)? 900: interval;
	// minimum one minute
	interval = Math.max(60, interval);
	// max interval in seconds set to 24 hours
	interval = Math.min(24 * 3600, interval);
	var url = OC.generateUrl('/csrftoken');
	setInterval(function() {
	$.ajax(url).then(function(resp) {
	oc_requesttoken = resp.token;
	OC.requestToken = resp.token;
	}).fail(function(e) {
	console.error('session heartbeat failed', e);
	});
	}, interval * 1000);
	}

Ref

server/lib/private/User/Session.php

Line 879 in 82a5833

$maxAge = $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);

^ you might want to have a look at the remember_login_cookie_lifetime setting. https://docs.nextcloud.com/server/14/admin_manual/configuration_server/config_sample_php_parameters.html#user-experience

[kojomba]

@ChristophWurst , can you guys add an option in the admin panel that we can set our own time.

'you just have to forget logout manually on a public pc, and you have a big problem....'

[ChristophWurst]

'you just have to forget logout manually on a public pc, and you have a big problem....'

FYI you can always kill other sessions via your personal security settings. It lists all active sessions. Just pick the one where you forgot to log out and end it. Problem solved 😉

[ChristophWurst]

@ChristophWurst , can you guys add an option in the admin panel that we can set our own time.

IMO this is a rather specific configuration option. If we added a user interface for all these options (there are lots of these), the UI would get unmaintainable. Could you please just fix this in your config.php as instructed by the linked admin manual? Thanks.

[kojomba]

Don't get me wrong, but that workflow is not professional. None of the other Cloud services has 2weeks login activity by default. The best and secure way is for example: by default 15 min inactive = auto logout. If user want a longer time let them change it in config file.

[rullzer]

@kojomba which services are you referring to? Both my test dropbox and test google drive account which I have not used in weeks are still logged in

[kojomba]

@rullzer well... i just logged in to my dropbox did a quick windows logout and login and guess what happend.... it did log me out of the website.... that's how it has to be done.

[Schroeffu]

any update on this? the very best end-to-end encryption is not helpful, as long as there is no auto logout after x minutes configure able. :-/

[skydns]

untill it's integrated in the admin panel you have to insert in the /config/config.php

https://help.nextcloud.com/t/log-out-on-idle-time/6734/2

/**

     * The lifetime of a session after inactivity; the default is 24 hours,
    
     * expressed in seconds.
    
     */

and add these lines to stop heartbeat:

'session_lifetime' => 60 * 15,
'session_keepalive' => false,
'remember_login_cookie_lifetime' => 60 * 15,

[LgWagon]

Dear all,
Is there any update on this topic? Still no auto-logout working, despite adding the previous three lines to config.php.
NC versione: 19.0.3

[mutoroglin]

Dear all,
Is there any update on this topic? Still no auto-logout working, despite adding the previous three lines to config.php.
NC versione: 19.0.3

I just setup my first nextcloud server and also had the desire to auto log-off after inactivity of a few minutes.
The solution skydns describes works perfectly fine on my machine.
I write this as I haven't found yet any positive confirmation that there is a working solution.
My nextcloud version 20.0.4 on Ubuntu server 18.0.4 LTS.

[ghost]

Greetings - just wanted to chime in on this. Maybe Nextcloud isn't concerned over more professional use cases, but auto-logout is critical to business use cases. Literally some environments require this feature to be compliant with cybersecurity policy as established by NIST and, going forward, the CMMC. I have to disagree that this is feature creep (my words, referring to an earlier comment) - this is actually sound and, frankly, sane policy in a cloud environment. The only area where this wouldn't be as much of an issue is on personal local area networks, where your personal documents are hosted on your terms and if someone hacks in you aren't endangering others by hosting data relevant to their businesses, or your employers for that matter.

Granted, the work-around cited should be sufficient, but generally speaking I believe this is something you should consider adding to the administrator settings. Thanks for listening :)

[kesselb]

We introduced a auto_logout configuration flag: #20298

Does that help with this use case?

[mutoroglin]

Hi kesselb and community,

just checked the feature on my nextcloud instance. I added following settings into config/config.php:

'remember_login_cookie_lifetime' => 60 * 60 * 24 * 15,


'session_lifetime' => 60 * 1,


'session_keepalive' => true,


'auto_logout' => true,


I observed following behaviour:

1. Login to a user account without any further activities (no mouse move either): I am automatically logged out after 1 minute (session_lifetime)
2. Login to a user account and periodically moving my mouse (the nextcloud window in the browser was always in focus): I stay logged in (until I wait for more than 1 minute)

I conclude this feature works as intended. THANK YOU :-)