Upgrade Your Drupal Skills

We trained 1,000+ Drupal Developers over the last decade.

See Advanced Courses NAH, I know Enough

Improve website security with the Automated Logout Drupal module

Parent Feed: 

Keeping a castle secure requires you to watch out in different directions. The same applies to websites — protecting your “digital castle” involves many different aspects.

Luckily, Drupal website security is on a pretty high level, so you just need to observe its best practices. You can always count on our Drupal support & maintenance team with the task to improve website security and implement the best website security measures like:

  • switching to HTTPS
  • applying Drupal security updates
  • bringing order to roles and permissions
  • blocking access to important files
  • installing security modules
  • and many more.

Our team can not just protect your website but also your budget from extra expenses thanks to our reasonable pricing and quick problem solving.

Today, we are taking a closer look at one of the practices to improve website security that is not so frequently described — website session timeout. Let’s see how this is done by the Automated Logout Drupal module.

How to improve website security with automated logout

You might have noticed that online banking applications show a countdown of your session time. This session time is usually very, very short.

Of course, not all apps or websites deal with this level of sensitive operations. So their session expiration time may vary. Still, if you want to improve website security, your site needs automated logout in any case.

The explanation is simple: this feature prevents hackers from intercepting a user’s session ID and intruding into your site. This makes it one of the website security basics that are used to improve the protection level.

  • According to OWASP (Open Web Application Security Project), insufficient session expiration increases session-based attacks. The shorter your website session is, the fewer chances you leave to attackers. So it is recommended to keep a good balance between security and usability depending on the purpose of your website.

Website security features of the Automated Logout Drupal module

As part of the security measures for a website, the Automated Logout contributed module in Drupal allows site admins to specify the time of inactivity, so users are automatically logged out when it expires.

The module is very flexible in its settings. Among its features to improve website security are:

  • different session timeouts for different user roles
  • individual website session timeout on a per-user basis
  • customized notifications about the upcoming logout
  • JS mechanisms to keep users logged-in when they have multiple tabs open or are working on a form
  • and more

How to work with the Automated Logout Drupal module to improve security

Let’s see the module in action. With the module installed and enabled, go to Configuration — People — Automated logout settings. Here are the key details to configure:

1) The main time settings

  • Set the timeout value in seconds (60 or longer). If role-based timeout is activated, this setting will not be used.
  • Set the maximum timeout in seconds. This is the maximum time that can be set by users who are allowed to set their own timeout.

2) Time for a response

  • Set the timeout padding in seconds. This is the time a user has for responding to the dialog before the logout (whether they want to resume the session or not).

Automated Logout Drupal module - settings for time

3) Where to redirect users

You need to set the redirect URL to which a user is redirected after the session is over.

Automated Logout Drupal module - settings for redirect URL

4) User-specific and role-specific timeouts

You can disable user-specific logout thresholds if you want to forbid everyone to set their individual maximum logout time. If this is allowed, this can be configured in individual user profiles in the People section of the admin dashboard. However, it never exceeds the sitewide maximum timeout you have set in Point 1.

Automated Logout Drupal module - settings for user-specific and role-specific timeouts

  • You can enable role timeout if you want to allow specific user roles to set their per-role maximum timeouts and redirect URLs. The permissions for specific roles can be set in the People — Permissions section of the admin dashboard.

Automated Logout Drupal module - roles and permissions

5) The logout dialog settings

When the logout is close, it’s a good practice to show a dialog window to users that informs them about this and gives them a chance to respond “yes” or “no” to the option to reset their session. Here are the things to customize:

  • The dialog title
  • The message to display in the logout dialog
  • The message to display after the logout
  • The type of message (status or warning)
  • The time for a user’s response (see Point 1).

6) The response buttons

It’s also possible to customize the “confirm” and “decline” button text in the dialog window or totally disable the response buttons.

If there is a need to improve the standard look of the buttons to meet your brand’s identity or customize the above-described process in any other ways, this is all possible if you contact a Drupal team.

Improve website security with our support experts!

It’s easy to stay safe when the best security measures for websites are taken. Our Drupal development company knows how to improve website security, so let us help you make your site a protected place.

As support and maintenance experts, we strive to improve sites in every aspect, so you can ask us to improve not only your site’s security, but also its performance, SEO, etc.

You can reach out to us with tasks of any scope — from installing and configuring specific security modules to performing a comprehensive security audit at a good price. Drop us a line to improve website security today!

Author: 
Original Post: 

About Drupal Sun

Drupal Sun is an Evolving Web project. It allows you to:

  • Do full-text search on all the articles in Drupal Planet (thanks to Apache Solr)
  • Facet based on tags, author, or feed
  • Flip through articles quickly (with j/k or arrow keys) to find what you're interested in
  • View the entire article text inline, or in the context of the site where it was created

See the blog post at Evolving Web

Evolving Web