Menu
▾
▴
#4877 auto-redirect to login page after timeout
This should not happen and is really anoying!
If you have many windows with queries and doing some implementation not all windows have regular reloads.
Keep the page open - you might show a hint that this session ended - but please only a small hint.
If I'm not mistaken, when the session ends, we lose the MySQL credentials, so we have to ask a relogin.
maybe, but there is no need to close the current view & redirect automatically to the login page of phpmyadmin.
Just leave the view it was before.
To test, just navigate to a table, click view & wait for the timeout. For me, after my lunch break all query windows showed me the login dialog. If this is only one window - all is good, but I had about 10.
Btw. why do don't you have an option to keep the connection to the server? It is sufficient to have a simple call every 10 minutes to the server.
What's with the short timeout anyway?
Olaf,
you are probably referring to the default value of the LoginCookieValidity directive. According to libraries/config.default.php, this value of 1440 seconds was chosen to match php.ini's same default value for session.gc_maxlifetime. This also has a value of 1440 in the suggested php.ini for production, in PHP 5.3 and 7.0 (see php.ini-production).
We have no way of knowing what is the value of session.gc_maxlifetime for most users, so we used the proposed default value of php.ini.
Marc,
Could we imagine to get the session.gc_maxlifetime by ini_get?
What'd be the disadvantage of defaulting to a day, a week or even longer?
Currently a user would have to change two values instead of one (in php.ini).
Can't the 'session' be restored even if the PHP session data is lost?
In /setup we have this verification: "Login cookie validity should be set to 1800 seconds (30 minutes) at most. Values larger than 1800 may pose a security risk such as impersonation."
So it seems logical to follow our own security suggestion, in the default value of LoginCookieValidity. I know that default values cannot please everyone, but we try to set them to the best value for the majority of users.
And if you know how to restore the PHP session after its expiration, please enlighten us.
Last edit: Marc Delisle 2015-04-28
I meant to not require the PHP session data.. What's stored there anyway?
Session is used for many things; the most important of them is probably our protection token.
hey, I'm still not speaking about changing the logout time itself, but only the automatic redirect to the login page, which eleminates all query results. For this, I see no reason.
Here we are speaking about phpmyadmin - an application which is used by professionals - mostly on a fixed computer with screen-lock. In the rare circumstances where a public available terminal is used, the user will surely close all browsers, tabs etc. And since on these terminals you can't be sure a keylogger is installed, you should never do this.
there is one more thing with this automatic redirect:
if you have more than one open window of phpmyadmin - which is my default, the other windows "close" even if you do queries on the others, so the cookie and the php-session do not expire.
If you don't check your other windows & relogin the one where the session was ended by js, the php session is closed & all other windows don't work any more due to changed session-id.
For you as a background: when I'm preparing queries in applications, I open a few tables in different browser tabs, to have the table structure of all used tables side by side. After that I determine which collums to select, what to join and how based upon the indeces. I think this is a very common way of accessing the databases.
I also get logged out quite frequently when I use phpmyadmin at work. I don't know what my php.ini session timeout setting says but I'll check. I agree with the idea of defaulting to longer, or possibly just using the value of the php setting to automatically configure the phpmyadmin setting (use ini_get).
Hugues' idea of using ini_set to prolong the session seems good! I don't know if that is one of the settings you can change at runtime.
I understand that the docs are giving the security advice of having the session not be too long. Maybe it could ask the user the first time it comes up, and mention the warning then?