Autologin allows a user to reclaim a session when she reloads the browser window or, after closing the browser, later returns to the OX frontend. In this page we'll look at two scenarios:
Allowing Autologin has some security implications. Everyone having access to a browser that contains the data to revive a session can enter said session. Therefore we offer OX administrators the option to completely turn off the autologin feature. To do that, open the configuration file /opt/openexchange/etc/groupware/sessiond.properties and look for com.openexchange.sessiond.autologin and set it to false:
But, allowing users to reenter their session is a nice feature, so let's go on to
The default OX6 configuration sets the system up for long running sessions, that can be recovered. Which configuration options make this happen? Glad you asked. Let's first look at the file sessiond.properties:
# # sessiond.properties # # Maximum value in milliseconds a session is allowed to be kept without request. After this time the session is put into the long life time # container and all temporary session data is removed. com.openexchange.sessiond.sessionDefaultLifeTime=3600000 # This amount of time a session can life in the long life time container. The session can be restored from here but it won't have any # temporary session data anymore. Restoring temporary session data may cause some slower functionality and maybe temporary errors on image, # proxy data or the like. Can contain units of measurement: D(=days) W(=weeks) H(=hours) M(=minutes). com.openexchange.sessiond.sessionLongLifeTime=1W # Whether autologin is allowed or not com.openexchange.sessiond.autologin=true
If you recall the lifecycle of an OX session, you'll remember that sessions are put into hibernation after some time has elapsed. This time is the value of com.openexchange.sessiond.sessionLongLifeTime, in milliseconds. So in this case, a session is stored in hibernation after one hour of not having been used. The session then remains in hibernation, and can be reactivated, for the com.openexchange.sessiond.sessionLongLifeTime. In this case one week. Note though that this session recovery only works if the IP address of the client computer hasn't changed in the meantime. This would usually mean, that Laptops won't have their sessions reactivated, but a desktop computer might conceivably never have to log in again, if the user doesn't stay away from the OX frontend for more than one week. Finally we have to enable autologin, so com.openexchange.sessiond.autologin is set to true.
So far so good. Now that we made sure the OX Server remembers the session sufficiently long, we have to ensure that the users browser remembers its cookies long enough, as the autologin data is saved in the browser cookies (See OXSessionLifecycle). So, let's open up the file server.properties.
This configuration option governs the cookie expiry date. This should usually be the same as com.openexchange.sessiond.sessionLongLifeTime.