Setting session timeout for limiting user session on the site

5 years ago
Hi,

I want to make sure session times out after 1 hour. In other words if user stays inactive for one hour he should be taken to login page again. It would be great if someone can help me with the settings i need to change. Do I need to make change in site settings or web config or is it on IIS level I have to make the changes?

Please reply urgently and thanks in advance for your help!

Thanks,
Alok
5 years ago
alokthakkar wrote:
Hi,

I want to make sure session times out after 1 hour. In other words if user stays inactive for one hour he should be taken to login page again. It would be great if someone can help me with the settings i need to change. Do I need to make change in site settings or web config or is it on IIS level I have to make the changes?

Please reply urgently and thanks in advance for your help!

Thanks,
Alok


Hi,

You can modify this in the source code:

Go to this file: /Presentation/Nop.Web.Framework/WebWorkContext.cs

and find this method:

protected virtual void SetCustomerCookie(Guid customerGuid)
        {
            if (_httpContext != null && _httpContext.Response != null)
            {
                var cookie = new HttpCookie(CustomerCookieName);
                cookie.HttpOnly = true;
                cookie.Value = customerGuid.ToString();
                if (customerGuid == Guid.Empty)
                {
                    cookie.Expires = DateTime.Now.AddMonths(-1);
                }
                else
                {
                    int cookieExpires = 24*365; //TODO make configurable
                    cookie.Expires = DateTime.Now.AddHours(cookieExpires);
                }

                _httpContext.Response.Cookies.Remove(CustomerCookieName);
                _httpContext.Response.Cookies.Add(cookie);
            }
        }


As you can see the row:
int cookieExpires = 24*365; //TODO make configurable


There is a TODO, which is there since many versions behind.

So, 24*365 represents one year. So you just make it 1. This will be one hour as you wanted.

I personally, do not believe this is a good customer experience, but maybe your configuration requires it.


I hope this helped !
3 months ago
Not working!
User can still access site after 15 minutes. My code snippet :

            //get date of cookie expiration
            //var cookieExpires = _cookieSettings.CustomerCookieExpires;
            //var cookieExpiresDate = DateTime.Now.AddHours(cookieExpires);
            // Adding 15 minutes
            var cookieExpiresDate = DateTime.Now.AddMinutes(15);
3 months ago
These cookies are only used for guest customers records. To force a customer to logout you need to set an expiration for the authentication configuration.
1 month ago
Hi can you please give example of how to exactly do this. I have been searching everywhere without success.

thanks
1 week ago
chrisampofo wrote:
Hi can you please give example of how to exactly do this. I have been searching everywhere without success.


Hi.
Just add this code under the main authentication cookie configuration
options.ExpireTimeSpan = TimeSpan.FromMinutes(15);
options.SlidingExpiration = true;