I had seen that, people are able to login to the site automatically with there old user cookies. How can we control the User/Mods/Admin cookies timeout?
It isn't a good idea for the user cookies lasting for long time, as if they failed to logout of the site, the next users can be able to open the site with their account automatically.
The "Remember Me" checkbox added in 1.6 really should be unticked by default.
(yes, I added in that feature, but whoever wrote up the list of features specifically said to tick it by default, and when I suggested otherwise, I was ignored)
Otherwise, requires a code change. Search for a header("Set-Cookie: ...") call in member.php somewhere.
I assume you're resourceful enough to search up on the syntax of the HTTP header. If not, Google is your friend.
I found these two codes that comprises of user cookie in member.php
Code:
my_unsetcookie("mybbuser");
my_unsetcookie("sid");
if($mybb->user['uid'])
{
$time = TIME_NOW;
$lastvisit = array(
"lastactive" => $time-900,
"lastvisit" => $time,
);
$db->update_query("users", $lastvisit, "uid='".$mybb->user['uid']."'");
$db->delete_query("sessions", "sid='".$session->sid."'");
}
|
Code:
if($mybb->input['remember'] != "yes")
{
$remember = -1;
}
else
{
$remember = null;
}
my_setcookie("mybbuser", $user['uid']."_".$user['loginkey'], $remember, true);
my_setcookie("sid", $session->sid, -1, true);
|
which one to edit now to decrease or disable the cookie time limit.
Most likely one that sets the "mybbuser" cookie. Check how the my_setcookie function works.