How to extend the session timeout?

I am trying to extend the timeout session, how should i do it?

Any context would help.

What are you using, which library are you using, which framework are you using, What did you try first? etc

Ok, I am using phoenix framework,
The application needs authentication so the session always times out. I tried setting the timeout on the config/dev.ex thus:

config :ration, RationWeb.Endpoint,
  http: [
    port: 4000,
    protocol_options: [
      idle_timeout: 36_000_000

But this is not working
What else do i do?

idle_timeout has nothing to do with the session handling of phoenix, but is a http timeout as described in Nine Nines: cowboy_http(3)

The default session handing included in Phoenix is using Plug.Session. Plug.Session defaults to cookie based session handling, with a default :max_age of 1 day (when signed (default) or encoded). You can customize this to be more or less than 1 day, but given you tried to configure idle_timeout to 10h I’m wondering if something else is off for you here.


Can you please let me know how to handle this issue?

Hi @Winifred , in order to help you it’s important to know more precisely what the issue is, and how you tried to solve it so far.

Did you already implement authentication in your app? If yes, how?

What leads you to infer that the session times out? Does it happen right away or after a while?

If you can share some code related to handling of sessions or authentication in your app it might also help.

With some more information, I am sure someone will be able to guide you towards a solution :slight_smile:

I have already implemented authentication. I am working with an open source application.
The problem is that even if i am working on the application, after sometime, the user is logged out.
Initially, i tried adding timeout on the config/dev.ex as i shared before, that did not work. also i created a module for session timeout.

defmodule Auth.SlidingSessionTimeout do
  import Plug.Conn

  def init(opts \\ []) do
    Keyword.merge([timeout_after_seconds: 3600], opts)

  def call(conn, opts) do
    timeout_at = get_session(conn, :session_timeout_at)
    if timeout_at && now() > timeout_at do
      put_session(conn, :session_timeout_at, new_session_timeout_at(opts[:timeout_after_seconds]))

  defp logout_user(conn) do
    |> clear_session()
    |> configure_session(renew: true)
    |> assign(:session_timeout, true)

  defp now do
    DateTime.utc_now() |> DateTime.to_unix

  defp new_session_timeout_at(timeout_after_seconds) do
    now() + timeout_after_seconds

I called this from the router:

pipeline :browser do
    plug :accepts, ["html"]
    plug :fetch_session
    plug :fetch_flash
    plug :protect_from_forgery
    plug :put_secure_browser_headers
    plug Auth.SlidingSessionTimeout, timeout_after_seconds: 86400

and this didn’t work either. So that is why i am here.

I apologize i just may not be able to share my code.

The authentication was achieved using phx.gen.auth

That’s very normal and is a classic security measure. Sessions always expire.

You want eternal sessions that never expire? Or you want them to expire after more time than they do now?

At first glance, the code that implements the sliding session seems correct (I did not test it though, I am browsing on mobile now). Do you get logged out after closing the browser, or even while the browser is open? In the first case, it might be due to the session cookie being deleted after closing the browser (usually the default).