Can we modify the logout timeout?

[KlinkerJ]

Right now a user has to reauthenticate whenever he starts a new browser session. As far as I know the timeout is defined by cookie expiration time... Can we modify that in code?

[LarsBreuren]

Hi KlinkerJ,

I'm having the same problem right now, do you remember fixing this?

Cheers

[timnolte]

So, there is an aspect as well that is controlled by the IDP on whether having an extended session is allowed via the login tokens. Have you tried turning off the "Enable Refresh Tokens" plugin setting?

[LarsBreuren]

Hi Tim!

Thanks for your reply.
I had this setting turned off allready. The Wordpress cookie expiration is set to a year and works fine for admins/content-creators who log in via Wordpress. Our subscribers log in via openID with Azure, this session stays alive until you close the browser.
Ideally we would like the subscribers to stay logged in for a month.

Perhaps Azure alters the session or Wordpress doesn't apply the cookie expiration time correctly to all accounts.

[KlinkerJ]

Unfortunately, I could not fix the behavior. The time until logout does not seem to be taken over by OpenID. But I didn't find a suitable setting in the source code either.
The responsible code should be the following (in openid-connect-generic-client-wrapper.php):

		// Create the WP session, so we know its token.
		$expiration = time() + apply_filters( 'auth_cookie_expiration', 2 * DAY_IN_SECONDS, $user->ID, false );

but changing this expiration time does not help to keep the user logged in after closing the browser. Also, the code calls wp_set_auth_cookie which should keep the user logged in for two days.