Modify Admin Session Lifetime in Magento 2: A Detailed Guide

Set Admin Session Lifetime Magento 2 - Created and developed specially for Magento 2, the Admin functions as a security measure for your online store. The password-protected back office facilitates the administrative work by allowing you to manage orders, catalog, content, and configurations effectively. The Admin times out after 900 seconds, or fifteen minutes of keyboard inactivity by default. If you’re using this Security extension, a warning email will be sent.

Security for Magento 2

Protect your store from cyber threats with Mageplaza's top-notch security services

Check it out!

However, you can always make adjustments to the lifetime of the session to fit your work style.

You can set Admin Session Lifetime in Magento 2 by following these following steps:

To set Admin Session Lifetime in Magento 2

Step 1: Open the Magento Security session
Step 2: Enter the Admin session lifetime which is measured in seconds
Step 3: Save the change

Step 1: Open the Magento Security session

On the Admin sidebar, click Stores > Settings: Configuration.
In the panel on the left, select Advanced > Admin.
Quickly look for the Security section, which is right below Admin Base URL.

Step 2: Enter the Admin session lifetime which is measured in seconds

Expand the Security section. Then do the following:

Admin Session Lifetime

Next to Admin Session Lifetime (seconds) field, erase the tick in the box before Use system value to remove the default session lifetime.
Then enter your preferred number of seconds during which a session remains active before timing out.

For Magento 2.1+ Issue Starting from Magento version 2.1, the admin session stays active until you close your web browser. This change was likely made for security reasons. The relevant code is in Magento\Backend\Model\Session\AdminConfig.

/**
 * Set session cookie lifetime to session duration
 *
 * @return $this
 */
protected function configureCookieLifetime()
{
    return $this->setCookieLifetime(0);
}

To change this behavior, you can use a plugin for this class. Insert the following interceptor method:

public function beforeSetCookieLifetime()
{
    $lifetime = $this->scopeConfig->getValue(
        \Magento\Framework\Session\Config::XML_PATH_COOKIE_LIFETIME,
        \Magento\Framework\App\Config\ScopeConfigInterface::SCOPE_TYPE_DEFAULT);
    return [$lifetime, \Magento\Framework\Session\Config::COOKIE_LIFETIME_DEFAULT];
}

Where $this->scopeConfig is an instance of \Magento\Framework\App\Config\ScopeConfigInterface, injected through constructor parameter.

With this modification, the cookie lifetime will be determined by your configuration settings, similar to the frontend.

It’s essential to note that the configuration in Stores > Configuration > Advanced > Admin Security > Session Lifetime no longer affects cookies. Instead, it influences the Redis session lifetime. If you increase the cookie lifetime, be sure to adjust this value as well.

Step 3: Save the change

Once you have finished setting the ideal length of session lifetime, tap Save Config. Done!

Related Post

Vinh Jacker

Hello, I'm the Chief Technology Officer of Mageplaza, and I am thrilled to share my story with you. My deep love and passion for technology have fueled my journey as a professional coder and an ultra-marathon runner. Over the past decade, I have accumulated extensive experience and honed my expertise in PHP development.

Looking for
Customization & Development Services?

8+ years of experiences in e-commerce & Magento has prepared us for any challenges, so that we can lead you to your success.

Get free consultant