Below information applies to Joomla! 1.6, 1.7 and 2.5.
With the release of Joomla! 1.6 its developers have changed the way in which a frontend user session expires. We believe that part of this change is not beneficial, because one of the consequences is, that a logged-in user session is automatically and periodically refreshed if the Login Form is displayed on the web page, a behaviour which is known as 'keep alive'. This means that the corresponding session will be kept alive beyond the session lifetime as configured in the Joomla! global configuration and it reduces the effectiveness of the Login One! plug-in, see the examples below. The Login One! Premium and Business editions deal with this problem.
Unless you have already taken action, your Joomla! 2.5 website will most likely behave as in the following first example.
Example of standard Joomla! 2.5 behaviour with Login One! freeware edition:
- User logs into website (session A), leaves the session open, doesn't close the browser and abandons the work station.
- User attempts login on a different work station (session B). Access is denied and a message is displayed by Login One! advising user to wait X minutes for session A to expire. With every log-in attempt to establish session B, the waiting time counts down.
- Approximately 1 minute before expiration of session A, session A is automatically refreshed (as if the user of session A hits the 'refresh' button). The waiting time for session B is reset to X minutes and user continues to be denied access.
- In principle, session B can never be established as long as the Login Form is active on work station A. This is fine for trial purposes, but does not give optimum protection.
RECOMMENDATION: To achieve better protection, you should get and install the Login One! Premium or Business edition.
Example of standard behaviour of Joomla! 2.5 with Login One! Premium or Business edition:
- User logs into website (session A), leaves the session open, doesn't close the browser and abandons the work station.
- User attempts login on a different work station (session B). Access is denied and a message is displayed by Login One! advising user to wait X minutes for session A to expire. With every log-in attempt to establish session B, the waiting time counts down.
- When the waiting time has expired, user can log into the second work station; session B is established and session A is closed. This is the optimum behaviour of the Login One! plug-in, provided you have installed and activated the plug-in properly.
IMPORTANT: The recommended behaviour as in the second example can only be achieved when the plug-in has been installed and activated properly. Instructions are included in the download package.