Standard Yii logout timeout


Is there any time on inactivity defined in Yii after which when I run yii/myapp/index.php or any other Yii site I will be redirected to login again?


I placed


into components part of my config file (main.php) but it does not seem to work.


echo Yii::app()->session->timeout;

gives me 60.

So when I set in config/main.php:




	'session' => array(

		'timeout' => 10,


After 10 seconds of inactivity in my app should I be directed to login page?

I thought so, but it does not work. Maybe someone with more experience help us here.

But you can try.

Yes I tried it and it doesn’t work. Anybody?

Take a look at method "login" of CWebUser

By default it call from loginForm


according to documentation have the description of second parameter

@param integer number of seconds that the user can remain in logged-in status. Defaults to 0, meaning login till the user closes the browser. If greater than 0, cookie-based login will be used. In this case, {@link allowAutoLogin} must be set true, otherwise an exception will be thrown.

Yii::app()->user->login($this->_identity, 10);

It does not work neither. After 10 seconds passed my user was still in.

Just to be sure…

If you wait more then 10 seconds the session should expire… but the page that you are viewing remains…

it does not redirect automaticaly…


if you "click" on any link that goes to an action that requires logged in users… than you should get the loggin form

I understand this but I dont get redirected to login page. Did you try to do it and does it work for you?

And also I’d like to know if it’s right way to change session timeout like I described in the second post here.

The duration parameter in login() only affects the cookie lifetime with cookie based login (allowAutoLogin=true).

I remember that we had the same confusion in PRADO’s TUserManager some years ago. What we should have is an authExpire parameter in CWebUser. Whenever a logged in user sends a request, a timestamp (now() + authExpire) should be saved to user state. If a user does not send another request before this timestamp, the user should get logged out automatically.

For the interested reader, here’s the old topic from the PRADO forum:



Addition to the above "… should get logged out automatically on his next request. Best place for this might be CWebUser::getIsGuest().

And here’s an idea for a simple implementation:

public $authExpires; 		// let authentication expire if user is inactive for this number of seconds


public function getIsGuest()




    if (!$isGuest && $this->authExpires!==null)


        if ($expires!==null && $expires < time())  // authentication expired


            // TBD:

            //   - Either always (true) or never (false) destroys session data! Not what everyone wants...

            //   - Make sure __expires is also cleared from session in logout()




        else                    // update expiration timestamp





    return $isGuest;


Worth a ticket?

Problem seems to be that the native session driver (file based) is considering a session file valid as long as it exists (maybe for performance reasons) and garbage collection is done after restoring a session.

To see the effect do this: Set session timeout to 1 and gCProbability to 100. Now login, wait 2 seconds and refresh. You are still logged in. Now wait 2 seconds and open the page in another browser so that the garbage collector starts working. Now refresh again in the first browser -> session isn’t valid anymore.

CDbHttpSession or any CCacheHttpSession component should work as expected because before considering an existing session as valid, they check for expiration first.

So how to change session timeout from standard 1440 seconds to something else?

'components' => array(

   'session' => array(

      'timeout' => 123,



I tried it before. It does not work.

Read what I wrote about native session managament. You can use CDbHttpSession component to make it work:

'components' => array(

   'session' => array(

      'class' => 'CDbHttpSession',

      'timeout' => 1,



As to Mike’s implementation I added it to my WebUser component (it extends CWebUser) having changed $this->authExpires to 10. But in this case I could not login at all.

Yes this works. I missed

'class' => 'CDbHttpSession',

Thank you Y!!

Will check again, this was only a quick writeup of my thought. Still i think it’s better to keep the session layer separate from authentication layer. The latter is built on top of the first: authentication layer stores the user login status in the session layer below. So IMO relying on session timeout for authentication timeout is mixing two logically separate layers.

Doing so has a consequence:

If you decrease the session timeout, all session data will expire, not only authentication data. You sometimes might not want this. Some things should be kept in the user’s session, even if his login status expired. So i suggest to consider my proposal. I’ll work out a patch and open a ticket. It’s really only some lines of extra code.