Session timeout not working for CHttpSession in Yii framework

Question 1

If you want that the user is sign out automatically after 30 minutes try:

'user' => array(
    'class' => 'WebUser',
    'loginUrl' => array('site/loginaccount'),
    'allowAutoLogin' => true,
    'authTimeout' => 1800
),

Question 2

protected/config/main.php : (define the session timeout)

$sessionTimeout = 5; // 5 secondes

return array(
        'params'=>array(
          'session_timeout'=> $sessionTimeout,
        );
        'components'=>array(
                'session' => array(
                        'class' => 'CDbHttpSession',
                        'timeout' => $sessionTimeout,
                ),
        ),
);

protected/views/layout/main.php : (define the refresh)

<html>
<head>  
        <?php if (!Yii::app()->user->isGuest) {?>
                <meta http-equiv="refresh" content="<?php echo Yii::app()->params['session_timeout'];?>;"/>
        <?php }?>
</head>
<body>
…
</body>
</html>

Question 3

I've read the source code of the CHttpSession. It is a wrap of the PHP Session. So, the mechanism of CHttpSession is the same with the PHP Session.

public function setTimeout($value)
{
    ini_set('session.gc_maxlifetime',$value);
}

the above is the code of timeout setter. it is just the setting of ini settings of the PHP. And according to the PHP documentation of session, after the maxlifetime, the session is just "potentially cleaned up", not for sure.

And the probability of it can be set by session.gc_probability. the default value is 1, which means 1%. So, you can set it to 100, make the garbage collection process run every time the script is run.

change your setting to

'session' => array(
    'class'=>'CHttpSession',
    'timeout'=>$params['session_timeout'],
    'autoStart'=>true,
    'gCProbability' => 100,
),

hope it helps.

Question 4

return array('components'=>array(
      'session'=>array( 
            'timeout' => 1800
        ),
    ),
);