You are here: Home / Plone 5 Cookie Session Timeout

Plone 5 Cookie Session Timeout

Quick note reminder on how to set the session duration from the very short default of only around 20 minutes, to something more useful...


If you are concerned with cookie security, you should always use SSL encryption. The same username is included in the page output, for example, so the fact that it's included in the cookie as well isn't a information leak as such.

The cookie uses a cryptographic hash that has a limited timespan, the default is 12 hours, after which the cookie will no longer be accepted.

You can lower this timeout:

  1. go to the ZMI of your plone instance

  2. Find the acl_users folder, then the session plugin:

    Session plugin in the ZMI

  3. Go to the Properties tab (right-most tab)

  4. Change the "Cookie validity timeout (in seconds)" property to a new value.

For example set Cookie Validity Timeout to "0", leave refresh interval at 3600 and cookie lifetime to 2 (days).

Take note of the "Refresh interval (in seconds, -1 to disable refresh)" value below it though; whenever the signed cookie is older than the refresh interval, a new cookie is generated, to refresh the cookie lifetime. So, by default, once every hour, you are issued a new cookie that is valid for 12 hours.

You don't want your cookie validity timeout to fall below the refresh interval. If you set these values very low, you may want to think about using a periodic AJAX 'ping' request to keep the cookie fresh while the user is still using the site.

In fact, plone.session already includes a facility to implement this ping for you. Simply enable it by installing the "Session refresh support" add-on in the control panel ("Site setup" > "Add-ons" add-ons icon> check "Session refresh support 3.5", click "Activate"). This will install the javascript library for you, and it'll ping the server every 5 minutes, provided there has been some mouse or keyboard activity while the current page is loaded.



Filed under: