The Joomla! Community Magazine™

Add a Session Timer

Written by | Wednesday, 01 June 2011 00:00 | Published in 2011 June
Don't build a long, straight road to your SuperAdministrator privileges for hackers to travel. Install a session timer instead.

"Your session has expired. Please log in again."

It may be annoying when you encounter this message, but it happens for a very good reason. By default, Joomla! allows you to login and remain signed on to the CMS system for a maximum of fifteen minutes of inactivity. Limiting a session in this way helps to prevent a lot of security issues.

If you've ever been caught short, it's tempting to extend the session time limit to a very large value. The place to make that setting is in the Global Configuration under Server. It's also possible to install an extension that disables session timing altogether. When you're developing a site, this is a simple way to prevent session timeouts.

On a live site with any amount public of traffic, though, this is a very dangerous idea. Don't be tempted. Sites that are left exposed with a long, straight path to Administrator or Superadministrator rights are something a hacker hopes to exploit. This can be as simple as someone sneaking access to a computer that doesn't belong to her or him, or more elaborate schemes of exploiting user accounts. On a Joomla! site that has gone live, we need a better plan for dealing with the potential for sessions timing out and causing frustration for the people working there, a plan that doesn't reduce our security settings. But what?

The answer is to install a session timer into your Joomla! administrator template. These extensions count down the remaining time in a session with a graphic or clock. When time is nearly up, they warn the user that her or his session is nearly over and it's time to save their work. Not only does a session timer give fair warning to people editing or adding to a site, it encourages them to intermediately save their work. Everyone is a winner—everyone except for a hacker, that is.

Here are links to two session timer options available from the Joomla! Extensions Directory. There are more options available in the Admin Desk section. Many template developers are releasing Administrator templates which include a session timer feature, too.

Read 23737 times
Tagged under Did you know...?
Sully Sullivan

Sully Sullivan

Brian "Sully" Sullivan has been building corporate and non-profit organization websites for 10 years, and using Joomla! almost since it was new. He lives and works in the Washington, DC metropolitan area, where he is a Principal of Terrace Media Group, an independent website development firm specializing in information architecture, search engine optimization, enterprise search services and transaction data management using the Joomla! CMS.