Keeping a castle secure requires you to keep watch in every direction. The same applies to websites — protecting your “digital castle” involves many different aspects.
Luckily, Drupal website security is on a pretty high level, so you just need to follow its best practices. You can always count on our Drupal support & maintenance team for the task of improving website security and implementing the best website security measures like:
- switching to HTTPS
- applying Drupal security updates
- bringing order to roles and permissions
- blocking access to important files
- installing security modules
- and many more.
Our team can not only protect your website but also your budget from extra expenses thanks to our reasonable pricing and quick problem solving.
Today, we are taking a closer look at one of the practices to improve website security that is rarely described — website session timeout. Let’s see how this is done by the Automated Logout Drupal module.
How to improve website security with automated logout
You might have noticed that online banking applications show a countdown of your session time. This session time is usually very, very short.
Of course, not all apps or websites deal with this level of sensitive operations. So their session expiration time may vary. Still, if you want to improve website security, your site needs an automated logout.
The explanation is simple: this feature prevents hackers from intercepting a user’s session ID and intruding into your site. This makes it one of the website security basics that are used to improve the protection level.
- According to OWASP (Open Web Application Security Project), insufficient session expiration increases session-based attacks. The shorter your website session is, the fewer opportunities you leave open to attackers. So you should keep a good balance between security and usability depending on the purpose of your website.
Website security features of the Automated Logout Drupal module
As part of the security measures for a website, the Automated Logout contributed module in Drupal allows site admins to specify the time of inactivity, so users are automatically logged out when it expires.
The module is very flexible in its settings. Among its features to improve website security are:
- different session timeouts for different user roles
- individual website session timeouts on a per-user basis
- customized notifications about the upcoming logout
- JS mechanisms to keep users logged-in when they have multiple tabs open or are working on a form
- and more
How to work with the Automated Logout Drupal module to improve security
Let’s see the module in action. With the module installed and enabled, go to Configuration — People — Automated logout settings. Here are the key details to configure:
1) The main time settings
- Set the timeout value in seconds (60 or longer). If role-based timeout is activated, this setting will not be used.
- Set the maximum timeout in seconds. This is the maximum time that can be set by users who are allowed to set their own timeout.
2) Time for a response
- Set the timeout padding in seconds. This is the time a user has for responding to the dialog before the logout (whether they want to resume the session or not).
3) Where to redirect users
- You need to set the redirect URL to which a user is redirected after the session is over.
4) User-specific and role-specific timeouts
- You can disable user-specific logout thresholds if you want to forbid everyone from setting their own individual maximum logout time. If this is allowed, this can be configured in individual user profiles in the People section of the admin dashboard. However, it never exceeds the sitewide maximum timeout you have set in Point 1.
- You can enable role timeout if you want to allow specific user roles to set their per-role maximum timeouts and redirect URLs. The permissions for specific roles can be set in the People — Permissions section of the admin dashboard.
5) The logout dialog settings
When the logout is approaching, it’s a good practice to show a dialog window to users that informs them about this and gives them a chance to respond “yes” or “no” to the option to reset their session. Here are the things you can customize:
- The dialog title
- The message to display in the logout dialog
- The message to display after the logout
- The type of message (status or warning)
- The time for a user’s response (see Point 2).
6) The response buttons
It’s also possible to customize the “confirm” and “decline” button text in the dialog window or totally disable the response buttons.
If you need to improve the standard look of the buttons to meet your brand’s identity or customize the above-described process in any other way, just contact a Drupal team.
Improve website security with our support experts!
It’s easy to stay safe when you take the best security measures for your website. Our Drupal development company knows how to improve website security, so let us help you make your site a protected place.
As support and maintenance experts, we strive to improve sites in every aspect, so you can ask us to improve not only your site’s security, but also its performance, SEO, etc.
You can reach out to us with tasks of any scope — from installing and configuring specific security modules to performing a comprehensive security audit at a good price. Drop us a line to improve website security today!