Secure Area Duration setting not honored?

[ztank]

Hi, I am on HESK 3.5.2 and I have set the Secure Area Duration to 9 hours but I am being forced to retype my credentials either as an admin or an agent a lot earlier (15 minutes maybe?) probably for inactivity. Is there an option to avoid to be forcefully logged out for inactivity?
Thanks.

[Klemen]

Session timeout is controlled in PHP settings, not in Hesk.

You will need to modify your PHP configuration, most likely the session.gc_maxlifetime parameter. Also, check that session.cookie_lifetime is either 0 or equal to the gc_maxlifetime parameter.

You could try this hack to stay logged in:
viewtopic.php?t=5857

Or, keep help desk open on the "Tickets" (main) page, with the "Auto reload page" checked in the top right corner. The auto reload time can be set in your Profile > Edit Profile > Preferences tab.

[ztank]

Hello @Klemen,
after your explanation I researched about session.gc_maxlifetime and session.cookie_lifetime params and found out that there are different places/files where they can be set.
I think that .htaccess is the best place for me and I added 2 lines to it:

Code: Select all

php_value session.gc_maxlifetime 86400
php_value session.cookie_lifetime 86400

Previously in the php.ini file they were 1440 (24 minutes) and 0 respectively.
I just tested it with shorter values (60 and 60) and my session expired after just 60 seconds of inactivity.
I expect to have a 1 day long of session if I use 86400 for both of them.
It looks a pretty clean approach to me.
Thoughts?

Thanks.

Edit:
It seems it is also necessary for me to add also this other line in .htaccess

Code: Select all

php_value session.cache_expire 86400

to have it successfully extend the session to 1 day.

[Klemen]

If it works for you, that's fine. Just note that all the Hesk sessions will be 24 hours long, so if you have a lot of customers, it would mean a lot of temporary files on the server from their sessions.

It's probably not an issue unless you have thousands of daily users on low-end hardware, though.

[ztank]

Actually It does not seem to work...

I have been trying to extend the session duration with no success.
I have these 3 lines in my .htaccess which is sitting in the same path where HESK 3.5.2 installation lives

Code: Select all

php_value session.gc_maxlifetime 172800
php_value session.cookie_lifetime 172800
php_value session.cache_expire 172800

but nothing... I keep being kicked out of my sessions both as an admin or an agent, both in firefox and forefox incogninto .

Here's the phpinfo() output session section:



Anything else I can try within php.ini fine tuning besides the suggestion you already gave with the refresh.php trick?

Thanks

[Klemen]

This looks good to me.

I would try with the refres.php next if this doesn't work.

[ztank]

Wouldn't it the refresh.php trick extend the session indefinitely?
I don't want it to happen, just would like to make it a little longer than the default 1440 (24 minutes). That's my goal.
Thanks.

[Klemen]

No, the refresh.php trick would extend the session only for as long as your browser is open. If you close the browser (Hesk), it has no effect.