The Joomla! Community Magazine™

Add a Session Timer

Written by | Wednesday, 01 June 2011 00:00 | Published in 2011 June
Don't build a long, straight road to your SuperAdministrator privileges for hackers to travel. Install a session timer instead.

"Your session has expired. Please log in again."

It may be annoying when you encounter this message, but it happens for a very good reason. By default, Joomla! allows you to login and remain signed on to the CMS system for a maximum of fifteen minutes of inactivity. Limiting a session in this way helps to prevent a lot of security issues.

If you've ever been caught short, it's tempting to extend the session time limit to a very large value. The place to make that setting is in the Global Configuration under Server. It's also possible to install an extension that disables session timing altogether. When you're developing a site, this is a simple way to prevent session timeouts.

On a live site with any amount public of traffic, though, this is a very dangerous idea. Don't be tempted. Sites that are left exposed with a long, straight path to Administrator or Superadministrator rights are something a hacker hopes to exploit. This can be as simple as someone sneaking access to a computer that doesn't belong to her or him, or more elaborate schemes of exploiting user accounts. On a Joomla! site that has gone live, we need a better plan for dealing with the potential for sessions timing out and causing frustration for the people working there, a plan that doesn't reduce our security settings. But what?

The answer is to install a session timer into your Joomla! administrator template. These extensions count down the remaining time in a session with a graphic or clock. When time is nearly up, they warn the user that her or his session is nearly over and it's time to save their work. Not only does a session timer give fair warning to people editing or adding to a site, it encourages them to intermediately save their work. Everyone is a winner—everyone except for a hacker, that is.

Here are links to two session timer options available from the Joomla! Extensions Directory. There are more options available in the Admin Desk section. Many template developers are releasing Administrator templates which include a session timer feature, too.

Read 24051 times
Tagged under Did you know...?
Sully Sullivan

Sully Sullivan

Brian "Sully" Sullivan has been building corporate and non-profit organization websites for 10 years, and using Joomla! almost since it was new. He lives and works in the Washington, DC metropolitan area, where he is a Principal of Terrace Media Group, an independent website development firm specializing in information architecture, search engine optimization, enterprise search services and transaction data management using the Joomla! CMS.

avatar
Nice piece, Sully. It is indeed very frustrating in 1.5 to lose your work due to a timeout.

One of the improvements in 1.6 is the use of a "keep alive" method on all edit forms to prevent this problem from happening.

Developers should add this statement to the layout for their edit forms:
JHtml::_('behavior.keepalive');

This will prevent the session from timing out. This approach can be used in extensions in both 1.5 and 1.6.
VOTES:5
avatar
Sully Sullivan Monday, 06 June 2011
Great tip, Amy!
VOTES:3
avatar
Marcus Stafford Tuesday, 21 June 2011
Good idea. I might remove it before clients take delivery of the site less they think it's somekind of virus countdown...
VOTES:0
avatar
I encourage you to leave it in, Marcus. It's just one little feature to explain to your client about the Administrator interface, and it encourages the good work habit of saving your work. (Remember, when you hit "Apply," your session renews.)

There are lots of good reasons why saving your work within the session time is helpful besides the potential for a poorly-coded Joomla! extension to time you out. For instance, once when I was writing an article someone tripped over the power cord of a desktop computer I was using and accidentally unplugged it. That of course crashed my system. Because I had been prompted to save my work by a session timer, I only lost the last two paragraphs I'd written.
VOTES:1
avatar
Thanks, it was useful
VOTES:1
avatar
Almost all my clients ask me to extend the administrator session time to avoid lost their work. So this is a very good alternative. Thanks!
VOTES:1

Language Switcher

Grab the Joomla! Community Banners! Spread the word!

Recommend us on Google+