Blog Winston AI @CustomerPanel
UnderHost
Knowledgebase Docs
/
Tools
Sessions Timeout Intermediate

Session timeout-users logged out unexpectedly

Fix users getting logged out. Increase session timeout, fix browser cache, check server time, clear cookies.

UnderHost NOC Network Operations
10 min read Updated June 2026
On this page

Session timeout is when the server automatically logs out users after inactivity. If users get logged out too frequently, the timeout can be increased. Default is usually 30 minutes to 1 hour, but you can extend it for better user experience or shorten it for security.

Why sessions expire

Sessions end for several reasons:

  • Inactivity timeout (most common): User doesn't interact for configured duration (e.g., 30 minutes) → server logs them out
  • Absolute timeout: Session expires after maximum lifetime (e.g., 24 hours) regardless of activity
  • Browser cookie deleted: User clears cookies or uses private browsing → session invalid
  • Server time mismatch: Server clock is wrong; session timestamp invalid
  • Session data deleted: Server cleaned up temp files; session no longer exists
  • HTTP/HTTPS mismatch: Mixed HTTP and HTTPS requests → session cookies rejected
  • Domain mismatch: Session set for www.example.com but user visits example.com (or vice versa)
  • PHP session garbage collection: Old session files deleted from /tmp directory

Default timeout values

SystemDefault timeoutConfigurable?
WordPress2 weeks (AUTH_COOKIE_EXPIRATION)Yes, editable in wp-config.php
PHP1440 seconds (24 minutes)Yes, via php.ini or ini_set()
Apache/NginxDepends on appVaries by application
Drupal1 day admin, 1 hour standardYes, admin settings
Joomla15 minutes (default)Yes, admin settings

Increase timeout in WordPress

WordPress stores timeout in wp-config.php with AUTH_COOKIE_EXPIRATION constant.

Default value: 2 weeks (1209600 seconds)

To increase timeout:

  1. Edit wp-config.php via cPanel File Manager or SFTP
  2. Find or add this line (usually near bottom, before "That's all, stop editing!"): 
    define('AUTH_COOKIE_EXPIRATION', 60 * 60 * 24 * 30);  // 30 days
  3. Adjust the last number (30) to desired days:
    • 7 = 1 week
    • 30 = 1 month
    • 365 = 1 year
  4. Save the file

For WordPress plugins using custom sessions: Plugin must define its own timeout. Check plugin settings in admin panel.

Custom PHP applications

Increase session timeout in php.ini or application code:

Method 1: Via php.ini (shared hosting):

# Edit /home/cpusername/public_html/.htaccess
php_value session.gc_maxlifetime 3600  # 1 hour (in seconds)

Method 2: In application code (start of session):

<?php
ini_set('session.gc_maxlifetime', 86400);  // 24 hours
session_start();
?>

Method 3: VPS php.ini:

# Edit /etc/php/8.1/fpm/php.ini
session.gc_maxlifetime = 86400  # 24 hours
session.cookie_lifetime = 86400

Note: session.gc_maxlifetime sets maximum session duration; session.cookie_lifetime sets how long cookie persists in browser.

Diagnose unexpected logouts

If users are logged out unexpectedly:

  1. Check timeout settings: Verify configured timeout vs actual behavior
    • WordPress: Check AUTH_COOKIE_EXPIRATION in wp-config.php
    • PHP: Check session.gc_maxlifetime in phpinfo()
  2. Check server time: Server time must be accurate (NTP sync) 
    date  # Check server time
timedatectl status  # Check NTP sync
  3. Check session directory: Sessions stored in /tmp; verify it's not full 
    df -h /tmp  # Check disk space
ls -la /tmp/php*  # Check session files
  4. Check logs: Look for error messages 
    tail -100 /var/log/php-fpm.log
grep -i session /var/log/syslog

Client-side session causes

Sometimes logouts are caused by browser, not server:

  • Browser cache: Cached old login page displayed → click "back" → session already expired
  • Cookies disabled: Browser cookies required for sessions; if disabled, user logs out immediately
  • Clear cookies on exit: Browser setting clears cookies when closed → next launch logs out
  • Private/incognito mode: Session cookies deleted when window closes
  • Third-party cookie blocking: Some browsers block cross-domain session cookies
  • HTTPS/HTTP mismatch: Navigating between HTTPS and HTTP loses session

To fix client-side issues:

  • Clear browser cookies: Ctrl+Shift+Delete → Clear all cookies
  • Verify cookies are enabled: Settings → Privacy → Cookies (enabled)
  • Disable "Clear cookies on exit" in browser
  • Don't use private/incognito mode for persistent login
  • Ensure site uses HTTPS consistently (no HTTP/HTTPS mixing)

Session management best practices

  1. Set reasonable timeout: Balance security vs user experience
    • Public sites: 30 minutes to 1 hour (security-focused)
    • Internal tools: 8-12 hours (usability-focused)
    • Admin panels: 2-4 hours (security-critical)
  2. Implement "remember me": Allow extended sessions if user opts-in
  3. Use refresh tokens: Modern apps: short access tokens + long refresh tokens
  4. Monitor session errors: Log unexpected logouts; investigate patterns
  5. Keep server time accurate: Use NTP for clock sync
  6. Clean up session files: Configure PHP garbage collection appropriately
  7. Test across browsers: Verify sessions work on Chrome, Firefox, Safari, Edge
Session timeout is a security feature

Timeouts protect accounts from unauthorized access if someone leaves their device unattended. Longer timeouts improve UX but reduce security. Choose the right balance for your site's risk profile.

Related: WordPress troubleshooting | SSL setup | WordPress security

Was this article helpful?

Still troubleshooting?

Use UnderHost tools for quick checks, or open a support ticket when the issue needs account or server access.

Open UnderHost Tools CustomerPanel

Related articles

Back to Troubleshooting