Merge pull request #4325 from nkovacs/4317-absolute-auth-timeout

framework/CHANGELOG.md

@@ -140,6 +140,7 @@ Yii Framework 2 Change Log
 - Enh #4114: Added `Security::generateRandomBytes()`, improved tests (samdark)
 - Enh #4209: Added `beforeCopy`, `afterCopy`, `forceCopy` properties to AssetManager (cebe)
 - Enh #4297: Added check for DOM extension to requirements (samdark)
+- Enh #4317: Added `absoluteAuthTimeout` to yii\web\User (ivokund, nkovacs)
 - Enh: Added support for using sub-queries when building a DB query with `IN` condition (qiangxue)
 - Enh: Supported adding a new response formatter without the need to reconfigure existing formatters (qiangxue)
 - Enh: Added `yii\web\UrlManager::addRules()` to simplify adding new URL rules (qiangxue)

framework/web/User.php

@@ -99,9 +99,16 @@ class User extends Component
      * @var integer the number of seconds in which the user will be logged out automatically if he
      * remains inactive. If this property is not set, the user will be logged out after
      * the current session expires (c.f. [[Session::timeout]]).
+     * Note that this will not work if [[enableAutoLogin]] is true.
      */
     public $authTimeout;
     /**
+     * @var integer the number of seconds in which the user will be logged out automatically
+     * regardless of activity.
+     * Note that this will not work if [[enableAutoLogin]] is true.
+     */
+    public $absoluteAuthTimeout;
+    /**
      * @var boolean whether to automatically renew the identity cookie each time a page is requested.
      * This property is effective only when [[enableAutoLogin]] is true.
      * When this is false, the identity cookie will expire after the specified duration since the user
@@ -120,6 +127,11 @@ class User extends Component
      */
     public $authTimeoutParam = '__expire';
     /**
+     * @var string the session variable name used to store the value of absolute expiration timestamp of the authenticated state.
+     * This is used when [[absoluteAuthTimeout]] is set.
+     */
+    public $absoluteAuthTimeoutParam = '__absolute_expire';
+    /**
      * @var string the session variable name used to store the value of [[returnUrl]].
      */
     public $returnUrlParam = '__returnUrl';
@@ -544,6 +556,9 @@ class User extends Component
             if ($this->authTimeout !== null) {
                 $session->set($this->authTimeoutParam, time() + $this->authTimeout);
             }
+            if ($this->absoluteAuthTimeout !== null) {
+                $session->set($this->absoluteAuthTimeoutParam, time() + $this->absoluteAuthTimeout);
+            }
             if ($duration > 0 && $this->enableAutoLogin) {
                 $this->sendIdentityCookie($identity, $duration);
             }
@@ -577,11 +592,12 @@ class User extends Component
 
         $this->setIdentity($identity);
 
-        if ($this->authTimeout !== null && $identity !== null) {
-            $expire = $session->get($this->authTimeoutParam);
-            if ($expire !== null && $expire < time()) {
+        if (($this->authTimeout !== null || $this->absoluteAuthTimeout !== null) && $identity !== null) {
+            $expire = $this->authTimeout !== null ? $session->get($this->authTimeoutParam) : null;
+            $expireAbsolute = $this->absoluteAuthTimeout !== null ? $session->get($this->absoluteAuthTimeoutParam) : null;
+            if ($expire !== null && $expire < time() || $expireAbsolute !== null && $expireAbsolute < time()) {
                 $this->logout(false);
-            } else {
+            } elseif ($this->authTimeout !== null) {
                 $session->set($this->authTimeoutParam, time() + $this->authTimeout);
             }
         }