25

I want expire the session if user (admin) is inactive for 15 minute in WordPress site,

can anyone tell me what is the default session expiry time in WordPress? and how to change that default expire time.

Maxime
  • 8,645
  • 5
  • 50
  • 53
mack
  • 1,768
  • 5
  • 21
  • 28

1 Answers1

71

Simply add this code in your theme's functions.php:

add_filter('auth_cookie_expiration', 'my_expiration_filter', 99, 3);
function my_expiration_filter($seconds, $user_id, $remember){

    //if "remember me" is checked;
    if ( $remember ) {
        //WP defaults to 2 weeks;
        $expiration = 14*24*60*60; //UPDATE HERE;
    } else {
        //WP defaults to 48 hrs/2 days;
        $expiration = 2*24*60*60; //UPDATE HERE;
    }

    //http://en.wikipedia.org/wiki/Year_2038_problem
    if ( PHP_INT_MAX - time() < $expiration ) {
        //Fix to a little bit earlier!
        $expiration =  PHP_INT_MAX - time() - 5;
    }

    return $expiration;
}
Reza Mamun
  • 5,991
  • 1
  • 43
  • 42
  • 1
    Does this change the cookie expiration time, or the session expiration time on the server? They are not the same thing and just changing the cookie expiration time does not mitigate the security risk of longer sessions. – Andrew May 08 '14 at 05:39
  • 5
    Surprisingly enough, WordPress does not use PHP sessions at all. It uses only cookies. And it uses a number of them with hashed names, so you don't want to mess with them directly, do it the WordPress way with filters like this, or by calling WordPress APIs. E.g. if you want to log out the current user, you can call wp_clear_auth_cookie(), http://codex.wordpress.org/Function_Reference/wp_clear_auth_cookie – sootsnoot Aug 10 '14 at 14:22
  • 3
    Full disclosure: WordPress *core* doesn't use sessions. It's possible that some plugins might. You'd have to search the source code of your plugins if you wanted to be sure. I note that the reference in the accepted answer is to an article on controlling PHP session duration, which doesn't affect the login status of a WordPress user. – sootsnoot Aug 10 '14 at 14:38
  • 2
    You can control access time to differnet roles too. `if ( user_can( $user_id, 'manage_options' ) ) { $expiration = 2*60*60; }` – Juniper Jones Jan 21 '15 at 17:25
  • 2
    I believe this solution will NOT address the 'inactivity' part of the question. This method will change cookie expiration but the user will be logged out regardless of whether or not they were active. WP does not seem to update the cookie expiration on user activity - it is set once on login. – Timur K Jan 25 '17 at 03:14
  • So this doesn't work for setting how long remember me lasts for than looking at the comment above? – Glen Sep 24 '17 at 08:11
  • 2
    It's amazing how WP neglected this problem, for what now, 7 years? – Guilherme Vaz Apr 10 '19 at 20:16