ExpressionEngine and Control Panel sessions
26 April, 2011 | Filed under “ExpressionEngine”
Note: This work centers on ExpressionEngine 1.6.9 Core.
When you are logged in as an administrator in ExpressionEngine’s Control Panel and leave it inactive for more than one hour, you are automatically logged out and need to re-key your Username and Password to re-enter. Great for security but an irritation overall.
It is not immediately obvious how, or if at all, you can change the 60 minutes’ session. In Joomla, for instance, you can swap the 15 minutes Session Lifetime default under Site > Global Configuration > System. Searching the ExpressionEngine (EE) forum may surface the following dialogue between user and EE support:
Question: Is there a way I can set the timeout interval on the Control Panel?
Answer: The easiest thing to do is to set yourself up for just plain Cookies instead of Cookies and Sessions.
To do that, go:
Admin > System Preferences > Security and Session Preferences
and change Control Panel Session Type from Cookies and session ID to Cookies only. Leave User Session Type at the default Cookies only.
Depending on your system, this may or may not have an impact on security. If you work on localhost and/or are in full control of the computer/browser, Cookies only will be fine. If you share the computer, think twice.
Quoting EllisLab, there are three validation types in dealings with EE sessions:
1. User cookies and session ID
This is the most secure way to run a site. Three cookies are set:
- 1.1 Session ID – This is a unique hash that is randomly generated when someone logs in
- 1.2 Password hash – The encrypted password of the current user
- 1.3 Unique ID – The permanent unique ID hash associated with the account
All three cookies expire when you close your browser or when you have been inactive longer than two hours (one hour in the control panel). Using this setting does not allow ‘stay logged-in’ capability, as each session has a finite lifespan.
2. Cookies only – no session ID
With this validation type, a session is not generated, therefore users can remain permanently logged in. This setting is obviously less secure because it does not provide a safety net if you share your computer or access your site from a public computer. It relies solely on the password/unique_id cookies.
3. Session ID only
Most compatible as it does not rely on cookies at all. Instead, a URL query string ID is used. No stay-logged in capability. The session will expire after one hour of inactivity, so
in terms of security, it is preferable to number 2.
Note: The control panel and public pages can each have their own session preference. End quote.
Of course, the word easiest in the answer above, triggered my imagination and I went on a quest for the Control Panel default session length. I found it in:
system > core > core.session.php
in line no. 64:
var $cpan_session_len = 3600; // Admin sessions expire in one hour
As noted on other occasions, you may have renamed your EE system folder. If this is the case, only you know where to look.
Change the 3600 (and that is milliseconds) to whatever suits your working habits. Save the file. If you have the Control Panel open, log out and then in again for the change to take effect.
All things considered, if you do not log out of the Control Panel when you leave the computer, a default one hour session still leaves ample time for prying eyes and itchy fingers to enter and wreak havoc.
I log out now.
