How To Set Session Timeout Per User At Login Time?

I am using an external authentication system. If I don’t see a cookie, I redirect to another site, which sends them back after. When I do see the cookie, I connect to a Java process running on a local socket to decrypt the cookie and get the userid and timeout. Did that in the SiteController file. The UserIdentity only checks to see if the user is in the database. If they are not in the user table, they get an unauthorized view. All this works great.

The issue is I want to have the php session timeout the same time their authentication cookie timeout. I have seen the option for setting a global value for everyone. But I need to set it for each specific person at login time based on the timeout from the cookie. I have tried searching for this information and couldn’t find anything.

Thanks for any help.

I think I have found part of my solution. In the actionLogin in the SiteController, I am passing a timeout value to the $model->login method, which I modified to accept and override the duration if set. So a cookie is being created, with the proper expiration time, but after it expires, nothing special happens. User does not need to be reauthenticated. ??? The allowAutoLogin is set to true in the config.

Dear Friend

We can create a behavior for main application where we can put some logic.


class ApplicationBehavior extends CBehavior


    public function events()


        return array(




    public function allotAuthTimeout()






            if($user->id=="seenivasan") //HERE I HAVE ARBITRARILY ASSIGNED authTimeout.

                $user->authTimeout=300; //YOU HAVE TO APPLY YOUR OWN LOGIC.

            if(!$user->id=="seenivasan")//YOU CAN PARSE authTimeout FROM COOKIES AND ASSIGN IT HERE.





	    if ($expires!==null && $expires < time())








Then you can attach this behavior to the application as a property.





I hope it will help you a bit.


I have to admit that I am a little confused. What is the point of the CWebUser class having a login method where the max logged in time can be set if it doesn’t actually do anything?

Using the method you described above, how would I pass the correct expiration time to it from the SiteController’s actionLogin function where I have that data?

Dear Friend

Whenever we assign authtimeout a value, YII checks the authTimeout at every request and reset the expiry time or user is logged out.

For an example, let us assign the authTimeout in SiteController.

public function actionLogin()


	$model=new LoginForm;

	if(isset($_POST['ajax']) && $_POST['ajax']==='login-form')


		echo CActiveForm::validate($model);








		if($model->validate() && $model->login())










What happens in the next request?

In immediate next request, the user component is again reconfigured from main.php.

There by default authTimeout is set as null.

If authTimeout is not set, YII assings the authTimeout to php session expiry.

Thus whatever we configure in SiteController is not taken into account in subsequent requests.

We may declare the authTimeout in main.php.



			// enable cookie-based authentication


			'authTimeout'=>60, //ONE MINUTE.



Here we can not dynamically assign authTimeout.

That forced me to use application behavior.

In this approach,

1.We are assigning authTimeout to each individuals at every request.

2.We are also checking out expiry time. If there is timeout, user is logged out.

Somebody correct me if I’m wrong, but I believe duration parameter in the login method, is auto-login duration; not auto-logout duration. Meaning, the cookie will be used to validate the user the next time they visit your site. The cookie will be valid for the duration that you specify in the login method.


Dear seenivasan,

Thank you for this example. It was well explained and really helped me. I have adapted this basic idea to suit the needs of our application.

Much appreciated!!