Idle Session Logout (ISL) and Authentication Cookie Expiration (ACE)

Home Forums BulletProof Security Pro Idle Session Logout (ISL) and Authentication Cookie Expiration (ACE)

Viewing 1 post (of 1 total)
  • Author
    Posts
  • #23322
    AITpro Admin
    Keymaster

    Idle Session Logout|Auth Cookie Expiration Question Mark button help text

    Forum Help Links: ISL and ACE Forum Topic

    Idle Session Logout (ISL) General Info:
    Idle Session Logout (ISL) can be considered a “soft” setting vs ACE being a “hard” setting. ISL uses javascript Event Listeners to monitor Users activity for these ISL events: keyboard key is pressed, mouse button is pressed, mouse is moved, mouse wheel is rolled up or down, finger is placed on the touch surface/screen and finger already placed on the screen is moved across the screen.

    If you set the Idle Session Logout Time to 60 minutes and the User is idle/inactive for 10 minutes and becomes active again then the Idle Session Logout Time starts all over again/is reset to 60 minutes. If a User is idle/inactive for 60 continuous minutes then that User will be automatically logged out of the site and redirected to the BPS Idle Session Logout Page.

    When an idle/inactive User is logged out of the site they are redirected to the BPS Idle Session Logout Page URL if their Browser is still open. If the User’s Browser is still open and the User is on another Browser tab window then the Browser tab window where they are logged into your site will be redirected to the BPS Idle Session Logout Page URL. If the User has closed their Browser without logging out of your site then that User will not be logged out of your site. You can use ACE to log User’s out of your site whether or not they have closed their Browser. Idle Session Logouts are logged in the BPS Security Log file.

    After making any option setting changes click the Save Options button to save your new option settings. To reset ISL option settings back to the default ISL option settings, delete any custom values/entries you have entered in any text/textarea boxes and click the Save Options button.

    Turn On|Turn Off:
    ISL is Turned Off by default. Select ISL On to turn ISL On. Select ISL Off to turn ISL Off.

    Idle Session Logout Time in Minutes:
    Enter the time in minutes for when an idle/inactive User should be logged out of your site. Example: Entering 60 will automatically logout Users who have been idle/inactive for 60 continuous minutes. Only enter numbers and not any other characters. If you accidently enter a blank value for the Idle Session Logout Time then ISL will be disabled automatically.

    Idle Session Logout Page URL:
    When an idle/inactive User is logged out of your site they are redirected to the BPS Idle Session Logout Page URL by default. You can choose to redirect logged out users to any URL that you want to redirect them to by entering the URL in this text box. Example: If you enter the URL path to your WP Login page then user’s will be redirected to your WP Login page instead of the default BPS Idle Session Logout Page.

    Idle Session Logout Page Login URL:
    This option displays a clickable Login URL/link to your WP Login page. If your Login page URL is different than the default URL that you see displayed in the Idle Session Logout Page Login URL text box then change the URL to the URL for your site’s Login page. You can choose not to display a Login URL/link by entering “No” (without quotes) if you do not want a Login URL/link displayed.

    Idle Session Logout Exclude URLs|URIs:
    This option allows you to exclude any pages or posts that you do not want ISL to check/monitor. Important: The URI path is everything after the root portion or your domain URL. Example: If the page/post you want to exclude is here: http://www.example.com/some-post/ then the URI Exclusion that you would use/enter is: /some-post/. If the page/post you want to exclude is here: http://www.example.com/category/some-post/ then the URI Exclusion that you would use/enter is: /category/some-post/.

    Idle Session Logout Page Custom Message:
    You can either use the default BPS ISL message/text by leaving the textarea box blank or you can enter your own custom ISL message/text in this textarea box that you want displayed to logged out users. Your custom message will be displayed on the default BPS ISL Logout page unless you choose to redirect users to a different URL/link using the Idle Session Logout Page URL option setting.

    Idle Session Logout Page Custom CSS Style:
    You can either use the default BPS CSS Style code or enter your own custom CSS Style customizations.

    Encryption|Decryption ModSecurity CRS Bypass
    ModSecurity CRS is a security feature installed on some web hosts. ModSecurity CRS sees the legitimate CSS code in the option settings as malicious and will prevent you from saving your option settings. When trying to save your option settings you may see an error message or you may be redirected to your website Home page or nothing happens or other various problems. To evade/bypass ModSecurity CRS click the Encrypt ISL Code button before clicking the Save Options button. Your option settings are encrypted in the POST Form submission and then decrypted in the Form processing code. That means that your option settings are only encrypted temporarily during Form submission to bypass/evade ModSecurity CRS detection. The Decrypt ISL Code feature was added as an additional user friendly convenience feature. It allows you to decrypt your CSS code in real time if you already clicked the Encrypt ISL Code button. You can then continue editing your CSS code and then click the Encrypt ISL Code button again when you are done editing your CSS code. Important!!! Do not forget to click the Encrypt ISL Code button before clicking the Save Options button.

    User Account Exceptions:
    To create exceptions for User Account names enter User Account names (case-insensitive) separated by a comma and a space: johnDoe, janeDoe. ISL will be turned Off/disabled for any User Account names that you add in this text box. User Account Exceptions override the User Roles option setting. Example: If johnDoe is an Administrator and you have enabled ISL for the Administrator User Role and you have added johnDoe in the User Account Exceptions text box then the johnDoe User Account Exception will override the Administrator User Role option setting and ISL will still be disabled for the johnDoe User Account. It is recommended that you add your User Account name, but if you also want to be automatically logged out when your User Account is idle/inactive then do not add your User Account name.

    Enable|Disable Idle Session Logouts For These User Roles:
    Checking a User Role checkbox will enable ISL for all Users with that User Role (See User Account Exceptions). Unchecking a User Role checkbox will disable ISL for all Users with that User Role. Example: If you only check the Subscriber checkbox then ISL will only be enabled for Users that are Subscribers. If your website is using/has Custom User Roles, your Custom User Roles will be displayed in a scrollable box below the standard WP User Roles: Administrator, Editor, Author, Contributor, Subscriber.

    Enable|Disable Idle Session Logouts For TinyMCE Editors:
    Please read all of the TinyMCE Editor Important Notes below. Checking the Enable|Disable ISL For TinyMCE Editor checkbox will disable ISL for any/all pages that have a TinyMCE Editor on them.

    TinyMCE Editor Important Notes:

    ISL and TinyMCE javascript Event Listeners:
    ISL uses javascript Event Listeners to monitor User activity for these ISL events: keyboard key is pressed, mouse button is pressed, mouse is moved, mouse wheel is rolled up or down, finger is placed on the touch surface/screen and finger already placed on the screen is moved across the screen. The TinyMCE Editor also uses javascript Event Listeners in the Visual Editor window. ISL can monitor User activity in the Text tab Editor window and the Editor Toolbar buttons or menus for any of the ISL events listed above, but cannot monitor any User activity in the TinyMCE Visual tab Editor window.

    TinyMCE Editor on WordPress Post, Page and Comments pages:
    This example is using an Idle Session Logout Time of 60 minutes. If the User is typing content/text for 60 continuous minutes in the WordPress Post, Page or Comments TinyMCE Visual Editor window and has not clicked or moved their mouse outside of the TinyMCE Visual Editor window for 60 continuous minutes and the Enable|Disable ISL For TinyMCE Editor checkbox option is not checked to disable ISL for TinyMCE Editors, then the User will see the native WP Confirm Navigation alert popup window with buttons to either Leave this Page or Stay on this Page. Clicking the Stay on this Page button resets the ISL timer again to 60 minutes and the User will not lose any of their content/text.

    TinyMCE Editor Instances used in other plugins and themes:
    If another plugin or theme is using instances of the TinyMCE Editor, like BPS Maintenance Mode MMode Editor TinyMCE Editor instance for example, then if all of the same conditions stated above for the WordPress Post, Page and Comments pages TinyMCE Visual Editor are the same then instead of seeing the native WP Confirm Navigation alert popup window, the User will be logged out automatically and the User’s content/text will not be saved. If you are using TinyMCE Editor Instances in another plugin or theme that Users can use to add/edit content/text and you do not want to risk a User being logged out and losing any of their content/text then check the Enable|Disable ISL For TinyMCE Editor checkbox to disable ISL on any pages that contain a TinyMCE Editor Instance.

    Auth Cookie Expiration (ACE) General Info:
    The WordPress Authentication Cookie Expiration (ACE) time can be considered a “hard” setting vs ISL being a “soft” setting. If you set the Cookie Expiration to 60 minutes then 60 consecutive minutes after a User has logged in, that user will be logged out automatically whether that User is idle/inactive or not. The WordPress Authentication Cookie Expiration (ACE) time is set when a User logs in. The default WordPress Authentication Cookie Expiration time is 2880 Minutes/2 Days and 20160 Minutes/14 Days if a User checks the Remember Me checkbox when they login. The WordPress Authentication Cookie Expiration time is set/reset each time a User logs in. So if a User logs out and then logs back into the site then the Cookie Expiration time for that User is set again to whatever Auth Cookie Expiration Time that you choose or the WordPress default Cookie Expiration time if you do not use or turn On ACE.

    Turn On|Turn Off:
    ACE is Turned Off by default. Select ACE On to turn ACE On. Select ACE Off to turn ACE Off.

    Auth Cookie Expiration Time in Minutes:
    Enter the time in minutes for when a User should be logged out of your site. Example: Entering 720 will automatically logout Users who have been logged in for 720 consecutive minutes/12 hours. Only enter numbers and not any other characters. If you accidently enter a blank value for the for Auth Cookie Expiration Time or Remember Me Auth Cookie Expiration Time then ACE will use the default WordPress Authentication Cookie Expiration time.

    Remember Me Auth Cookie Expiration Time in Minutes:
    Enter the time in minutes for when a User should be logged out of your site when the User has checked the Remember Me checkbox on the WordPress Login page. Example: Entering 720 will automatically logout Users who have been logged in for 720 consecutive minutes/12 hours. Only enter numbers and not any other characters. If you accidently enter a blank value for the for Auth Cookie Expiration Time or Remember Me Auth Cookie Expiration Time then ACE will use the default WordPress Authentication Cookie Expiration time.

    Enable|Disable Remember Me Checkbox:
    Checking the Disable & do not display the Remember Me checkbox option will disable and not display the Remember Me checkbox for everyone including you. If you want to set and control the WordPress Remember Me setting then use the Remember Me Auth Cookie Expiration Time in Minutes option setting instead and choose an amount of time you would like to use for the Cookie expiration time.

    User Account Exceptions:
    To create exceptions for User Account names enter User Account names (case-insensitive) separated by a comma and a space: johnDoe, janeDoe. Auth Cookie Expiration Time settings will not be applied to any User Account names that you add in this text box and these User Accounts will instead use the default WordPress Authentication Cookie Expiration time. User Account Exceptions override the User Roles option setting. Example: If johnDoe is an Administrator and you have enabled ACE for the Administrator User Role and you have added johnDoe in the User Account Exceptions text box then the johnDoe User Account Exception will override the Administrator User Role option setting and the johnDoe User Account will use the default WordPress Authentication Cookie Expiration time. It is recommended that you add your User Account name, but if you also want to be automatically logged out for the Auth Cookie Expiration time that you choose then do not add your User Account name.

    Enable|Disable Auth Cookie Expiration Time For These User Roles:
    Checking a User Role checkbox will apply the Auth Cookie Expiration Time that you choose for all Users with that User Role (See User Account Exceptions). Unchecking a User Role checkbox will apply the default WordPress Authentication Cookie Expiration time for all Users with that User Role. Example: If you only check the Subscriber checkbox then ACE will only apply the Auth Cookie Expiration Time setting that you choose for Users that are Subscribers. If your website is using/has Custom User Roles, your Custom User Roles will be displayed in a scrollable box below the standard WP User Roles: Administrator, Editor, Author, Contributor, Subscriber.

    General Questions & FAQ

    Do Idle Session Logout (ISL) or Auth Cookie Expiration (ACE) affect all website visitors to your website?
    The Idle Session Logout (ISL) javascript code is only loaded if a User is logged into your website (depends on your ISL option settings for User Accounts/Roles) and is specific to only that User’s Browser/Client Browser and Login Session. Auth Cookie Expiration (ACE) is a WordPress Authentication Cookie that is set when a User logs into your website. Visitors that visit your website that are not logged into your website are not affected in any way by ISL or ACE.

    Can Idle Session Logout (ISL) be used to log all Users out of a site?  Can ISL be used to prevent anyone from logging into a site?
    Yes.  If you set the Idle Session Logout Time in Minutes to 0 then this will logout all logged in Users and also logout a User as soon as they login.  CAUTION:  If you do NOT enter your User Account name in the ISL User Account Exceptions text box then you will also be logged out of the site and will not be able to login to the site.  If you accidentally lock yourself out of your site then use the BPS Pro XTF tools Turn Off|Deactivate Idle Session Logout (ISL) XTF Form option if you have BPS Pro installed.  For BPS free, use FTP or your web host control panel file manager and edit the /bulletproof-security/bulletproof-security.php file and change: if ( $BPS_ISL_options['bps_isl'] == 'On' ) {  to: if ( $BPS_ISL_options['bps_isl'] == '0' ) { (you are changing the value from “On” to “0”). Log into your site, go to the ISL page and change/fix your ISL settings.

    Can the Idle Session Logout Time be changed while Users are logged in or after a User has already logged in?
    Yes. ISL is Client Browser based and the Idle Session Logout Time is a variable that has a value that can be changed “on the fly”. Example: If UserA and UserB login to your site and the Idle Session Logout Time was 60 minutes when they logged in and you change the Idle Session Logout Time to 1 minute while UserA and UserB are logged into your site then UserA and UserB and all other Users that are logged into your site (depending on your ISL option settings) will be automatically logged out after being idle/inactive for 1 minute.

    Can the Auth Cookie Expiration Time be changed while Users are logged in or after a User has already logged in?
    Yes and No. Yes, you can change the Auth Cookie Expiration Time option setting for all Users (depending on your ACE option settings), but the WordPress Authentication Cookie Expiration time is set when Users log into your site and cannot be changed “on the fly”. So if you change the Auth Cookie Expiration Time while UserA and UserB are already logged into your site then the new Auth Cookie Expiration Time that you choose will not take effect until after UserA and UserB logout and log back into your site. The WordPress Authentication Cookie Expiration time can only be set/reset at login. This is the default functionality of the WordPress Authentication Cookie.

Viewing 1 post (of 1 total)
  • You must be logged in to reply to this topic.