If you open multiple tabs/windows on a site with Automated Logout 6.x-3.x-dev, offset by a few seconds, you won't be automatically logged out.*

The meta-tag page refreshes, offset by a few seconds and running in parallel, prevent autologout_lastaccess from exceeding the timeout.

Example with timeout=60:
t=0: Load page A in tab.
t=5: Load page B in tab.
t=60: Page A refreshes; autologout_lastaccess=5. That's less than 60 ago, so do not log user out.
t=65: Page B refreshes: autologout_lastaccess=60. That's less than 60 ago, so do not log user out.
t=120: Page B refreshes: autologout_lastaccess=65. That's less than 60 ago, so do not log user out.
...

* Well, eventually you will be, due to uneven page-loading times, but it will probably be a really long time.

Comments

threexk’s picture

threexk commented

Just to be clear, the second colon in both the t=65 and t=120 lines should be instead a semicolon.

Bevan’s picture

Bevan commented
Status: Active » Closed (works as designed)

I don't believe this is the intended functionality. I believe it is supposed to disable multiple sessions across different cookie-stores — i.e. across different browsers (Firefox, Opera, Safari) on the same computer, or across different computers.

threexk’s picture

threexk commented

Not sure I follow. The idea of the Automated Logout module is to log you out after some period of inactivity (i.e., no page accesses), say 15 minutes. If you have two tabs open on the same site, you will never (until you're lucky) get logged out. So there is no automatic logout. This is by design?

Automatic logout prevents a user from accidentally leaving their session open and someone else using it without authorization.

threexk’s picture

threexk commented

To clarify, the problem I described is seen with two tabs in a single browser.

jvandervort’s picture

jvandervort commented

I definitely see the problem of course, there is no period of inactivity. The dueling tabs keep up the activity...
I'll think on this some more and see if there is something we could do about it.

It speaks to the schizophrenic design of the autologout modules.
Are they really to enforce the users being logged out for the site or
to be a convenience for the user to not leave an open session? I think people
are using it for different reasons.

You could also use the 6.x-2.x branch and disable the browser refresh to solve that particular problem as the
6.x-3.x does not have the setting to do this.

jvandervort’s picture

jvandervort commented
Status: Closed (works as designed) » Active

We should keep this open to discuss solutions.

jvandervort’s picture

jvandervort commented

Another tidbit, you can disable meta-refresh in IE and Firefox which might be useful.
Also, there is no technical way to keep users from faking activity just to avoid being logged out.

vstmusic’s picture

vstmusic commented

I want to use your module to have a better security on my private website. But with this bug, I can't use it.

jvandervort’s picture

jvandervort commented

@vstmusic, Use the 6.x-2.x autologout branch and set the Browser refresh delay" to -1. There is no solution to this using the automatic browser refresh builtin to the 6.x-3.x branch.

ti2m’s picture

ti2m commented

Took me a day to figure out why the auto logout sometimes work and sometimes doesnt. Multiple tabs of course...
Here is an idea: why not attach a flag to the url when automatically refreshing? That way you can seperate real user activity and the auto refresh. Depending on that you either update $_SESSION['lastaccess'] or you substract time() - (int)$_SESSION['lastaccess'] from the the timeout. With two tabs the "faster" 1.tab would take the leftover timeout during auto refresh from the "slower" 2.tab. If the user is not active in the leftover period you get logged out at the end and both tabs even refresh (almost) at the same time.
This could be done with both the "meta-refresh" and JS. I put something together for 6.x-2.x branch. Can't supply a patch right away as I needed some other functionality with it and therefore altered the whole module but here's a snippet

      if(!isset($_GET['auto']))
           $_SESSION['lastaccess'] = $nowtime;

      $refresh = (int)_autologout_local_settings('refresh_delta');
      if ($refresh >= 0) {
        $force_refresh = $timeout + $refresh;

        $url = $_SERVER['REQUEST_URI'];
        if(isset($_GET['auto'])){
             $force_refresh-= ($nowtime - (int)$_SESSION['lastaccess']);
        }
        else{
             $url.="&auto=true";
        }
        $this_header = '<meta http-equiv="refresh" content="'.$force_refresh.'; url='.$url.'" />';
        $this_head = drupal_set_html_head($this_header);
      }

Any thoughts?

johnennew’s picture

johnennew commented
Status: Active » Closed (won't fix)

This feature is properly supported in the 4 versions of autologout. Please try updating to 7.x-4.1 or 6.x-4.1