| SYSTEM INFORMATION | |
|---|---|
| OS type and version | Ubuntu Linux 22.04.5 |
| Webmin version | 2.402 |
I have auto-logout after <60> minutes of inactivity enable but dose not work.
I’ve gone away for hours and come back to find the session still logged in.
Webmin and the server have been reboot
Maybe a bug, did you logout and login after changing that setting?
P.S. I set to 1 minute (restarted webmin) and logged and logged in and no auto logout, seems like a bug.
@Jamie, do you want to address the issue with socket connections and auto-logouts? The get_logout_time function keeps getting triggered because the session is being checked constantly by the stats.pl server.
Hmm… Works for me. I have a long time out because I don’t want stray sessions open. I am running the Virtualmin version. Could certain browsers be doing keep alives? I’m using Opera.
What URL is it calling? We could exclude that from the resetting of the last active time..
URL? stats.pl is not calling any URLs.
How is stats.pl triggering the session refresh then??
I mean, I thought an open WebSocket connection does.
Remind me again how stats.pl uses websockets?
There, have a look at this code:
I don’t see anything in there that would reset the logout session timer, as that’s entirely in miniserv.pl
@chris.j76 Do you see this issue if you simply close the browser (with an authenticated session), compared to keeping the browser open?
And an open WebSocket connection will never time out until it’s closed because control frames are sent every 10 or 20 seconds to keep it alive.
You can test this by setting the session timeout to 1 minute, disabling real-time monitoring in “Theme Configuration: Dashboard and real-time monitoring” by setting “Enable real-time monitoring” to “No,” restarting Webmin, and then opening the Terminal module—you’ll see keep-alive ping/pong frames every 20 seconds, whether you’re using the Terminal module or not, and code around get_logout_time will get triggered!
@chris.j76 After looking into it more, I think everything is working as expected! For the connection to time out when a WebSocket connection is established, you just need to close the browser tab.
With Opera, I let the system shut it down at night. This keeps me from having to log back into the forum. The captcha is a PITA so I like to avoid it. If time isn’t expired, I’m still logged into WM/VM. If it has, I get a re-authentication notification.
@Ilia Thanks for the information, I’ll just have to make sure the browser tab is closed.
the other issue is two-factor authentication enabled with provider TOTP
I have 2 accounts
Root and my account Chris.
the root token will work for Chris account and via versa. kinda defeats the purpose of MFA if any token will work.
But get_logout_time only returns a time that is compared with the last activity in the session DB, and that’s only updated when a new HTTP request is made. An existing websockets session shouldn’t trigger it ..
When the connection is upgraded and handle_websocket_request is called, it will keep sending that verify command every 10 seconds or so—there’s no need for an HTTP request…
Oh right I forgot about that! So yeah, in this case the session time will be updated as long as the browser has a Webmin window open.
I suppose then the question become what do you we consider “activity” ? Actual intentional operations like navigating around in the browser, or just having a page open?
Well, that’s a good question—intention is to receive stats from the socket and update the page without reloading.
Currently, we stop collecting data from the socket when the page is not focused, which means the page is not updated. However, we do not close the socket. Closing the socket every time a user loses focus on the browser can have negative effects.
