Magento 2 backend session timeout

In Magento 1.x the backend session timeout was set via:
Backend -> System -> Configuration -> Admin -> Security -> Session Lifetime (seconds)

Initially, my question was how to set this in Magento 2.0, but apparently there are differences between Magento 2.0 and Magento 2.1

For Magento 2.0: Arkadii Chyzhov has pointed out how to set this (see below).

For Magento 2.1: fschmengler has suggested a solution (see below).

However, M 2.1 appears not to provide a straightforward solution via the backend. Can anybody come up with an additional solution for M 2.1?

Els den Iep

Posted 2016-02-15T12:18:47.607

Reputation: 379

Answers

Stores > Settings > Configuration > Advanced > Admin > Security > Admin Session Lifetime (seconds)

Also there is a possibility to set this parameter directly to database, just put a value under path

admin/security/session_lifetime

in the table core_config_data

Update

Magento 2.1 admin cookie life time = Stores > Settings > Configuration > Advanced > Admin > Security > Admin Session Lifetime (seconds) or till the user closes the browser

Since Magento 2.1 introduces lifetime for admin cookie as "expires on browser close", together with value in Stores >Settings > Configuration > Advanced > Admin > Security > Admin Session Lifetime (seconds). That means, that session life time equals value in Stores > Settings > Configuration > Advanced > Admin > Security > Admin Session Lifetime (seconds) or when a browser is closed.

Or you can set up a new value for admin cookie, like it is proposed in fschmengler's answer

Arkadii Chyzhov

Posted 2016-02-15T12:18:47.607

Reputation: 2 128

would you be interested in adjusting the functionality of the layered navigation on our M2 website? – Els den Iep – 2016-07-13T13:51:19.957

@ElsdenIep pls. find my contact information in the profile – Arkadii Chyzhov – 2016-07-27T19:51:47.717

Do you know what is the column in the database for that value, so I can change it programmatically? – jojman – 2016-08-16T16:57:40.410

I've set it to be 50400 but it still logs out after around 20 mins.... – OZZIE – 2016-09-13T14:18:41.577

@ArkadiiChyzhov see my answer below :) – OZZIE – 2016-09-14T14:30:00.543

Check attached image screenshot for better understanding of admin process.

Go to Stores->Settings->Configuration->Advanced->Admin->Security->Admin Session Lifetime (seconds)

And check screenshot.

Yogesh Trivedi

Posted 2016-02-15T12:18:47.607

Reputation: 1 577

Solution for Magento 2.1+

Since Magento 2.1 the admin session lifetime is always "session", i.e. until the browser is closed. This ~~has been~~ might have been introduced for security reasons.

The relevant code is in Magento\Backend\Model\Session\AdminConfig:

/**
 * Set session cookie lifetime to session duration
 *
 * @return $this
 */
protected function configureCookieLifetime()
{
    return $this->setCookieLifetime(0);
}

If you want to change this behavior, you can add a plugin for this class with the following interceptor method:

public function beforeSetCookieLifetime()
{
    $lifetime = $this->scopeConfig->getValue(
        \Magento\Framework\Session\Config::XML_PATH_COOKIE_LIFETIME,
        \Magento\Framework\App\Config\ScopeConfigInterface::SCOPE_TYPE_DEFAULT);
    return [$lifetime, \Magento\Framework\Session\Config::COOKIE_LIFETIME_DEFAULT];
}

Where $this->scopeConfig should be an instance of \Magento\Framework\App\Config\ScopeConfigInterface, injected via constructor parameter.

This way the cookie lifetime is used from configuration, just as in the frontend.

Note that the configuration in Stores > Configuration > Advanced > Admin Security > Session Lifetime does not have any effect on the cookies anymore! It is used to determine Redis session lifetime, so if you increase the cookie lifetime, you should also increase this value.

Fabian Schmengler

Posted 2016-02-15T12:18:47.607

Reputation: 49 110

I am wondering if you could explain this security reason. From my point of view, setting admin cookie lifetime to 0, brings discrepancy and not obvious behavior, if we are using 'admin/security/session_lifetime', which defines admin session life time, and which depends from 2.1 on cookie lifetime implicitly. – Arkadii Chyzhov – 2016-09-15T22:33:26.197

I assumed it is to prevent the case that an admin closes the window without "log out" and the any person getting access to the same pc is already logged in. This is not a major threat and I agree with you that it's a bad decision to make this "feature" this non obvious. – Fabian Schmengler – 2016-09-16T06:56:29.890

But I searched for the responsible commit now and found this: https://github.com/magento/magento2/commit/e33a0332f2286a011ded0c7b5fa4f7b13ea853f0#diff-1125ab4d6bb922453ef7e22b6176311a " MAGETWO-49092: Invalid Form Key on Admin login page" - it sounds more like a workaround to hide another bug with a more or less accidental and at least undocumented side effect.

– Fabian Schmengler – 2016-09-16T06:57:45.700

There must be more going on, because my session is still expiring without closing my browser. – Matt Cosentino – 2016-11-29T19:55:35.997

How this works? I'm new to M2, but AFAIK you cannot create plugin for protected functions, and before plugin can only affect parameters, but configureCookieLifetime does not uses any. – Volvox – 2017-05-18T11:08:10.087

1@Volvox look carefully: the plugin is for setCookieLifetime, a public method with parameters – Fabian Schmengler – 2017-05-18T11:35:51.850

A note here, the accepted answer works however magento 2 uses the default php folder to store session files, if you have this configured in php:

09,39 *     * * *     root   [ -x /usr/lib/php/sessionclean ] && /usr/lib/php/sessionclean

then this is added to the system cron by the php installation.

So then you can either

disable that cron
or better: increase gc_maxlifetime in php.ini (as this will be the upper limit)

OZZIE

Posted 2016-02-15T12:18:47.607

Reputation: 306

Another solution without modifing any settings is install any auto refresh addon for your browser and set its time (60 seconds).

It will auto refresh the page for every 6o seconds which prevents session lifetime to expire and we can start working on another tab.

I used Easy Auto Refresh and it works fine for me.

Amit Singh

Posted 2016-02-15T12:18:47.607

Reputation: 776

If you are using multiple VMs / servers for web and db and the time is not sync also caused the issue.

So if all options above does not work, check the time stamp / date of the two severs when you are using multiple server for web and db.

Aunik Rahman

Posted 2016-02-15T12:18:47.607

Reputation: 1

I don't know why but for some of us setting the Admin Session Lifetime from backend doesn't work, so I found a couple of solutions:

In php.ini change session.gc_maxlifetime from 1440 to whatever number of seconds you desire. (This solution worked for me, tested on magento 2.2.0 and 2.2.1)
In .htaccess add "php_value session.gc_maxlifetime 28800" or to whatever number of seconds you desire.
By manually setting the lifetime. Go to vendor/magento/module-encryption-key/etc/config.xml and change from 900s to whatever number of seconds you desire.

Hope one of this solutions will work for others too.

Sylaratty

Posted 2016-02-15T12:18:47.607

Reputation: 6