Change user session timeout in Atom 2.3

[Franck Dupont]

Hello,

In Atom 2.3, I tried to change user session timeout. I've change config as shown in this post.

I have :

- Update /config/factories.yml :

user:
    class: myUser
    param:
      timeout: 180000 # Session timeout in seconds

- Clear the cache :

php symfony cc

- Restart php5-fpm and Apache :

service php5-fpm restart
service apache2 restart

But users still be disconnected after 30 minutes.

Any idea ?

Thanks !

Franck.

[Dan Gillean]

Hi Franck,

We have heard reports of this, have done a bit of investigation, and heard back from a user who did further experiments. He was able to set the timeout to 80minutes, and have it actually time out at about 65-70minutes. The actual timeout length seemed to be inconsistent - occasionally it was closer to 55mins. We're not yet sure why.

Why this discrepancy happens is very difficult to say and something we are not going to be able to investigate further or resolve without community sponsorship - we've tried to see if it's something simple, but it will require a deeper investigation than we can freely provide. I will point out that Symfony 1.4, the framework that AtoM still uses, is very old and currently deprecated - we are monitoring it and providing our own security patches and fixes as needed, and when possible merging in fixes from a community maintained fork. In the long-term, however, at some point we'll need to consider a next-generation AtoM that uses updated technologies - as you may know, AtoM was first developed in 2007/8, and much of the underlying code is still the same. While our development approach and business model has managed to keep the project active, growing, and accessible, it is very difficult for us to find organizations or individuals willing to submit code or sponsor much-needed maintenance work - most prefer new features. For more on our philosophy and model, please see:

• https://wiki.accesstomemory.org/Development/Philosophy

There are also many local installation and configuration issues that might be affecting this which are particular to your environment, which is one of the reasons it is difficult to troubleshoot for the application as a whole.

180000s as you have it set in the example above (e.g. 3000minutes or 50hours!) is an extremely high value, and may be causing additional issues. You might want to experiment with 80minutes as the previous user reported to us, which hopefully should at least double the default timeout period? I would say that, until we have a long-term solution for this, it is probably better to build a work practice of periodically saving a description when working on it for long periods. ~70 mins should be ample time for users to remember to save their descriptions once. Additionally, many security best practices do not recommend a session timeout limit higher than 30mins, so I would be cautious about tweaking this too much. I'd love to see development that would add a warning when the timeout was approaching, and/or an autosave and recovery option - again, work that would require development sponsorship, however.

Finally, the user in question ultimately encouraged archivists to install and make use of a browser extension that would auto-save form data as an additional protection against timeouts. It looks like there are versions available for both Firefox and Chrome. I haven't tried it myself, but it might be worth investigating.

• https://chrome.google.com/webstore/detail/lazarus-form-recovery/loljledaigphbcpfhfmgopdkppkifgno
• https://addons.mozilla.org/en-US/firefox/addon/lazarus-form-recovery/

If you are a developer interested in tackling this issue and sharing any solution back with the public project (or if you have access to developers), let us know and I will see if our devs have any suggestions on the right places to start investigating. If your organization is interested in sponsoring work to have Artefactual investigate and resolve this, please feel free to contact me off-list.

I wish I had a better answer for you!

Regards,

Dan Gillean, MAS, MLIS
AtoM Program Manager
Artefactual Systems, Inc.
604-527-2056

@accesstomemory

--
You received this message because you are subscribed to the Google Groups "AtoM Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ica-atom-users+unsubscribe@googlegroups.com.
To post to this group, send email to ica-ato...@googlegroups.com.
Visit this group at https://groups.google.com/group/ica-atom-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/ica-atom-users/0620ca1d-f244-4611-af76-bd90577457f2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Vicky Phillips]

Hi

I've started looking at possibility of using Lazarus but my IT Section has noticed that this plugin doesn't look like it's being maintained.  It doesn't look like it will work with Firefox version 53.  I'm wondering if anybody has been looking at any other similar plugins or other solutions for this problem?

Thanks,

Vicky