Modify Admin Session Lifetime in Magento 2: A Detailed Guide

Set Admin Session Lifetime Magento 2 - Created and developed specially for Magento 2, the Admin functions as a security measure for your online store. The password-protected back office facilitates the administrative work by allowing you to manage orders, catalog, content, and configurations effectively. The Admin times out after 900 seconds, or fifteen minutes of keyboard inactivity by default. If you’re using this Security extension, a warning email will be sent.

”

Security for Magento 2

Protect your store from cyber threats with Mageplaza's top-notch security

(28 reviews)

Check it out!

However, you can always make adjustments to the lifetime of the session to fit your work style.

You can set Admin Session Lifetime in Magento 2 by following these following steps:

To set Admin Session Lifetime in Magento 2

• Step 1: Open the Magento Security session
• Step 2: Enter the Admin session lifetime which is measured in seconds
• Step 3: Save the change

Step 1: Open the Magento Security session

• On the Admin sidebar, click Stores > Settings: Configuration.
• In the panel on the left, select Advanced > Admin.
• Quickly look for the Security section, which is right below Admin Base URL.

Step 2: Enter the Admin session lifetime which is measured in seconds

Expand the Security section. Then do the following:

• Next to Admin Session Lifetime (seconds) field, erase the tick in the box before Use system value to remove the default session lifetime.

• Then enter your preferred number of seconds during which a session remains active before timing out.

For Magento 2.1+ Issue Starting from Magento version 2.1, the admin session stays active until you close your web browser. This change was likely made for security reasons. The relevant code is in Magento\Backend\Model\Session\AdminConfig.

/**
 * Set session cookie lifetime to session duration
 *
 * @return $this
 */
protected function configureCookieLifetime()
{
    return $this->setCookieLifetime(0);
}

To change this behavior, you can use a plugin for this class. Insert the following interceptor method:

public function beforeSetCookieLifetime()
{
    $lifetime = $this->scopeConfig->getValue(
        \Magento\Framework\Session\Config::XML_PATH_COOKIE_LIFETIME,
        \Magento\Framework\App\Config\ScopeConfigInterface::SCOPE_TYPE_DEFAULT);
    return [$lifetime, \Magento\Framework\Session\Config::COOKIE_LIFETIME_DEFAULT];
}

Where $this->scopeConfig is an instance of \Magento\Framework\App\Config\ScopeConfigInterface, injected through constructor parameter.

With this modification, the cookie lifetime will be determined by your configuration settings, similar to the frontend.

It’s essential to note that the configuration in Stores > Configuration > Advanced > Admin Security > Session Lifetime no longer affects cookies. Instead, it influences the Redis session lifetime. If you increase the cookie lifetime, be sure to adjust this value as well.

Step 3: Save the change

Once you have finished setting the ideal length of session lifetime, tap Save Config. Done!

Related Post

• Magento 2: 404 Error Page Not Found in Admin
• How to Reset admin password in Magento 2
• Create New Admin User in Magento 2
• How to Enable Admin Login Captcha
• Secure Your Admin in 3 steps
• How to reset a locked Admin account in Magento 2