autoRenewCookie and autoLogin

Hi there,

We want our users to stay logged in while active, and to be logged out after 30 minutes of inactivity. For this purpose, it seems sensible to turn autoRenewCookie (in CWebUser) to true.

However, the docs state autoRenewCookie ‘is effective only when allowAutoLogin is true’.

Why is this? Is there a better way of achieving what we are aiming for? Is it a bad idea?

Thanks for your help!

Why exactly do you want to keep allowAutoLogin off?

From what I understand of your requirements, setting both to true will give you exactly what you want…

Thanks for the response.

From CWebUser, "Note, when cookie-based authentication is enabled, all these persistent data will be stored in cookie." - this referring to having allowAutoLogin set to on.


  • I don’t want user details stored in the cookie (so need allowAutoLogin to be off)

  • I do want the user to be logged out after 30 minutes of inactivity

  • I don’t want the user to be logged out after 30 minutes if they are actively using the site

It feels like the above needs would be what most people would want, so wondering what we’re doing wrong!

After looking through the code for a bit, I think this is actually very easy. Unfortunately, I can’t confirm for you, so try it out and tell us if it works or not.