My first post here. Thanks so much for this cool server and the owncloud app. So I’ve been studying for my CISSP security certificate and it was brought to my attention that session length time can be a security vulnerability. I’m running UCS: 4.4-4 errata602 with Installed: letsencrypt=1.2.2-8 4.3/collabora=188.8.131.52 4.3/owncloud=10.3.2-1.
I’ve found out the settings I wish to change on my owncloud instance through modifying the owncloud.php they are as follows:
‘remember_login_cookie_lifetime’ => 606024*1,
#Lifetime of the remember login cookie, which is set when the user clicks the
remember checkbox on #the login screen. The default is 15 days, expressed in seconds.
‘session_lifetime’ => 60 * 60 * 1,
#The lifetime of a session after inactivity; the default is 24 hours, expressed in seconds.
‘session_keepalive’ => false,
So I’ve found a couple of .php files in the /var/lib/univention-appcenter/apps/owncloud/conf directory.
And of course I’ve read this :
config/config.phpfile to control server operations.
config/config.sample.phplists all the configurable parameters within ownCloud, along with example or default values. This document provides a more detailed reference. Most options are configurable on your Admin page, so it is usually not necessary to edit
config/config.phpif you need to use a special value for a parameter. Do not copy everything from
config/config.sample.php. Only enter the parameters you wish to modify!
config/directory, for example you could place your email server configuration in
email.config.php. This allows you to easily create and manage custom configurations, or to divide a large complex configuration file into a set of smaller files. These custom files are not overwritten by ownCloud, and the values in these files take precedence over
So I’ve tried adding my three lines of code in the config.php but they break the webinterface completely with a cannot modify header error. From inside the overwrite.config.php I see these lines:
So how do I modify these settings to auto logout of owncloud after the first hour, no matter if the browser is still open or not? Ideally I’d like these setting to persist across a reboot, but I would at the least like to get the session to timeout after an hour. I want my server to be very secure. Thank you for helping me.