I'm using Drupal 6 for a program that does some e-payment work. Due to the fact that being logged in means that browser can access a users sensitive financial information I want to make sure it will timeout the session after an inactive period.
I tried using:
ini_set('session.cookie_lifetime', 600); //expire after 10 minutes of inactivity
However this logs the user out after 10 minutes regardless of whether they had any activity since login.
Is there a different setting to use or a way to modify this setting to make the session expire after inactivity rather than have a hard and fast lifetime length?
Drupal lets users to stay logged in until they log out. This may not seem logical to you, but it makes a lot of sense to people writing large posts, or willing to resume writing after a pause: they may get disappointed, if after a long day's work they submit their post and get an error because their session has expired.
That said, you may review the Automated logout module, which seems likely to help you with your application's requirements.