Adjusting Your Joomla! 3.x Session Time for your Users
Session Lifetime
By default, Joomla has a 15 minute session time for logged in users, meaning if a user goes inactive for more than 15 minutes, they are automatically logged out and need to enter their credentials again. But, sometimes you need longer session times, for instance, when you are developing a site and don’t want to be logging in over and over. Or, maybe you have some very long forms for logged in users to complete and you don’t want their session expiring before they can hit the submit button.
So, let’s take a look at changing the session time in the backend of Joomla.
- Login to the backend of Joomla with a super administrator account.
- Click to open the System menu item.
- Select Global Configuration from the dropdown.
- Once the Global Configuration is open, click on the System tab.
- Scroll down the page until you see the Session Settings section.
There will be three fields:
- Session Handler – the way the sessions are handled by Joomla
- Session Lifetime – how long a user stays logged in while being inactive
- Shared Sessions – the ability to make the login work for both frontend and backend simultaneously
- To make the session time longer, simply change the value in the Session Lifetime field to the desired length in minutes. For example, maybe you want to make the session an hour and half, then you would enter “90” for the value.
- After you have changed the value, then click Save and Close on the Global Configuration.
That’s it! You’ve now changed the session time for your users.
Please note, that this session time is the same for both frontend and backend users.
Session Handler
In case you are wanting to dig a little deeper in the session settings, here’s a little more information about the Session Handler dropdown.
The Session Handler dropdown gives you three options:
- Database – saves the browser cookie in a table in the Joomla database
- PHP – stores the browser cookie in a php file on the server
- Memcached (Experimental) – uses an open source memory object caching system
DATABASE
By default, Joomla is set to Database to track the user that is logged in for non-activity. If you aren’t able to get to your php settings or server files, we recommend you stick to the default setting here.
PHP
If your database is on another server or has a slow connection, changing to a PHP handling method might be a better choice for you. PHP handling writes to a file directly on the web server and has more advanced session handling.
You need to make sure your host PHP settings will allow this before trying it, or you may find yourself locked out of your site. If you do get locked out when you switch to PHP handling, you will need FTP access in order to modify the configuration.php file. You will need to look for the line that says public session _ handler = “none” and change it back to public session _ handler = “Database” again. Now you should be able to log in again and you will see the Session Handler dropdown is back to Database.
MEMCACHED
The last option of Memcached is marked “Experimental” still, so we recommend you do not use this method on live sites at this point in time.
Shared Sessions
Shared Sessions is set to No by default, meaning you will need to login to the backend and the frontend and those are handled separately. If you want the same session to work on the frontend and backend, you will first need to hop over to the Server tab in the Global Configuration and make sure that your Force HTTPS is set to either None or Entire Site, but not Administrator Only. If you need to have the Administrator Only setting for this field, then you will need to leave Shared Sessions set to No.
If your Force HTTPS is set to None or Entire Site (which is the preferred setting in most scenarios), then you can go back over to the System tab, scroll down to the Session Settings, and change Shared Sessions to Yes.
After you make those changes, don’t forget to click Save or Save & Close in the Global Configuration. Now you’ve changed your session handling to work for frontend and backend.
We hope this tutorial helps you with your Joomla Session! And, for full Joomla installs and setups, see our extensive video course library for Joomla.
Have you had any experience where one user is able to login as another user on the frontend? I am encountering this issue now and am thinking it may be related to the Session Handler.
James,
Are you talking about normal users? They should not be able to login as someone else with out knowing their login and password. The exception would be if you are running a plugin that allows Super Users to login as other users with their own password. But, that would require a plugin enabled and them to be a Super User.
Maybe I didn’t understand your question?
Cheers,
Robbie
Thank you very clear documentation
Thanks Sami!
Hi Robbie,
I have a client that he want to put 1 year session lifetime, but I can´t do it because the max minutes limit are 9999. Do you know another away to do that?
thanks
Josean,
No, not built in, there might be some extensions or plugins that allow you to do that, but I would highly recommend you not make your sessions that long. There are many reasons, but the two primary reasons would be burden on the server, it uses resources to hold a session, and security, both on the persons’s actually physical machine and network access. But, remember, that as long as the person is active again before their session runs out, then they keep it renewed. What was the purpose of a year session?
Thanks,
Robbie
The client believes that people forget their passwords and do not access the news. The case is clear. Google Analytics detects that on the days of private newsletters, there is an increase in access to the login page, but visits die on that page. If there was a longer session people would access and increase the flow.
Sorry I didn’t reply sooner, I thought I’d get an email alert.
THANK YOU
Josean,
Gotcha. Well, I would make sure that the Joomla Authentication – Cookie plugin is set to be longer than the time between newsletters. And, I would encourage them to make sure that nothing (CSS or JS) on the login page is blocking the browser or other password storage places to let users save the info.
Hope this helps! Also, note, you can check to be notified when there is a follow-up comment via email by checking the box under this textarea.
-Robbie
Thanks Robbie,
I´ll try to do your recommendations.
Thank you very much.
Cordial saludo;
como se puede controlar para los usuarios registrados solo puedan iniciar sesión en un solo dispositivo simultáneamente o tener solo una sesión abierta.
TRANSLATION:
Regards;
as it can be controlled so that registered users can only log in to a single device simultaneously or have only one session open.
Yes, you can configure Filezilla to allow only one connection at a time or multiple.
When I Logout say’s Error You most login first. Why?
Finn, I don’t think this is related to session time, actually haven’t heard of that error in quite a long time. Are you on the latest version of J3? Here’s an old Joomla forum discussion on that error: https://forum.joomla.org/viewtopic.php?t=890381
Hope this helps!