I thought I had login & logout security all working using the Server Connect Security Provider & the Security Enforcer, but I notice that if a user does not logout properly, the restricted page is still accessible a few days later without having to login. Browser was closed in the meantime of course.

php.ini seems to have all the correct Session settings, so why is the session not being destroyed after 24 minutes?

session.gc_maxlifetime = 1440
session.gc_probability = 1
session.gc_divisor = 1000
session.cookie_lifetime = 0

Testing locally with XAMPP & DW CS6.

Hello David,
What do you mean by - "if a user does not logout properly"? There is only one way to log out ... clicking the logout button, which runs the logout action.

If you have the remember me checkbox checked, when you close your browser and open it again, you are still logged in.
If the remember me checkbox is not checked, when you close the browser and open it again you are not logged in.

Of course you can set the cookie expiration period in the security provider options:

Hi Teodor - ther'e always the possibility that a user will forget to logout, and close the browser.
Usually the session timeout would take care of this

I'm not using a 'Remember Me' checkbox field in my custom login form.
By the way, your latest Security Provider videos don't use a Remember Me checkbox in the custom login form.
So the cookie expiration time does not apply.

So it seems like I should use a 'Remember Me' field to alleviate this problem. Perhaps I should hide this field and set the value to 0 so users can't select this - in other words, always OFF.

Dave

It doesn't matter if the videos show it or not ... you can choose whether to use it or not.
If the remember me is not set, the cookie is destroyed when the browser session ends.

I've added a 'remember_me' checkbox to my custom login form.
<input type="checkbox" name="remember_me" id="remember_me">

Server Connect:
Server action: dbUser
Added $_POST.remember_me to Globals
Security Provider > Advanced > Set Cookie Expiration to 7 days
Added $_POST.remember_me to Security Login Remember field using SC Data Bindings pickup

What else should I do? Something obvious I'm sure!

If I login with Remember Me checked, then logout, the login page does not retain my username & password.

I am not sure you understand how the remember me option works.

Quote

If I login with Remember Me checked, then logout, the login page does not retain my username & password.

This is exactly how it is supposed to act.

Remember me option does not save your username and password in the form. This is controlled by your browser.

Remember me option keeps the login cookie, when you end the browser session, so you don't have to login again to access restricted pages. It keeps you logged in.
Of course when you log out the remember me function won't keep the cookie, as it is destroyed on log out ...

Thanks Teodor - I was confused by the browser remembering passwords.
Now I understand (I think).

Is my setup above OK? Anything else to do?

Dave

It looks fine.
remember me is just a function which keeps your cookie. We don't do anything related saving forms data - this is all browser related.