auto logout status is saved properly - it probably seems to be lost because checkbox "Remember me for 30 days" is not unmarked in the login form - that sets the "remember me" status, which negates auto-logout.

out-logout itself - my tests are inconclusive
will test more later, but any tests should take "Show warning if Zabbix server is down" into account

Tested the following (v2.2.5):

1. Log in with Remember Me disabled.
2. Set auto-logout and save.
3. Log out.
4. Log in again with Remember Me disabled.
5. Verified auto-logout settings retained.
6. Log out.
7. Log in with Remember Me enabled.
6. Auto-logout settings cleared.
7. Log out.
8. Log in with Remember Me disabled.
9 Auto-logout settings are still cleared.

Also verified the settings are cleared in the database.

Not sure why the Remember Me setting should negate the auto-logout functionality?

All required details of current behavior are documented now according to ZBX-9366, which, btw, contains more details of current issue.

ZBX-9370 also asks to fix related things.

Not sure it's the best place to post it, but still... Some zabbix users complains that zabbix frontend floods zabbix DB by relatively hard queries like:

UPDATE sessions SET lastaccess=1427291815 WHERE userid='1' AND sessionid='09dba63bb393af3b149b466c2c1d8afe'
SELECT p.* FROM profiles p WHERE p.userid=1 ORDER BY p.userid,p.profileid

Results of investigations:
The "Show warning if Zabbix server is down" check has been implemented in ZBXNEXT-829
Its spec says:

Result and timestamp of last check are cached in PHP session, so if many tabs are open in browser, socket won't be opened for every tab separately.

Testing current 2.4 I can say that it's not true.
Every browser tab (Opera/Linux) produces TCP connection.
I reload single tab and after ~2 seconds I duplicate it.
First tab did the check and its TCP socked being closed after the ~2 seconds - right before second tab starts to perform its check, opening another TCP socket.
After 2nd tab did its check - its socket closed exactly after 5 seconds.
And so on.

Also, the spec didn't say anything about authorization.
It only says:

To determine if Zabbix server is running, PHP tries to open a socket with host and port taken from the config file "$ZBX_SERVER" and "$ZBX_SERVER_PORT" variables. Socket timeout is 3 seconds by default (can be changed in defines.inc.php "ZBX_SOCKET_TIMEOUT" constant).

When zabbix frontend (every browser tab) performs the check, it performs these SQLs:

150325 15:56:55 69967 Connect   root@localhost on 2.4
                69967 Query     SET NAMES utf8
                69967 Query     SHOW TABLES LIKE 'dbversion'
                69967 Query     SELECT dv.mandatory,dv.optional FROM dbversion dv
                69967 Query     BEGIN
                69967 Query     SELECT u.userid,u.autologout,s.lastaccess FROM sessions s,users u WHERE s.sessionid='09dba63bb393af3b149b466c2c1d8afe' AND s.status=0 AND s.userid=u.userid AND (s.lastaccess+u.autologout>1427291815 OR u.autologout=0)
                69967 Query     SELECT g.usrgrpid FROM usrgrp g,users_groups ug WHERE ug.userid='1' AND g.usrgrpid=ug.usrgrpid AND g.users_status=1 LIMIT 1 OFFSET 0
                69967 Query     UPDATE sessions SET lastaccess=1427291815 WHERE userid='1' AND sessionid='09dba63bb393af3b149b466c2c1d8afe'
                69967 Query     SELECT MAX(g.gui_access) AS gui_access FROM usrgrp g,users_groups ug WHERE ug.userid='1' AND g.usrgrpid=ug.usrgrpid
                69967 Query     SELECT u.userid,u.alias,u.name,u.surname,u.url,u.autologin,u.autologout,u.lang,u.refresh,u.type, u.theme,u.attempt_failed,u.attempt_ip,u.attempt_clock,u.rows_per_page FROM users u WHERE u.userid='1'
                69967 Query     SELECT ug.userid FROM usrgrp g,users_groups ug WHERE ug.userid='1' AND g.usrgrpid=ug.usrgrpid AND g.debug_mode=1
                69967 Query     COMMIT
                69967 Query     SELECT p.* FROM profiles p WHERE p.userid=1 ORDER BY p.userid,p.profileid
                69967 Quit

I not very understand why do we perform authorization at all.

And I absolutely cannot understand why we perform SQL like SELECT p.* FROM profiles p WHERE p.userid=1 ORDER BY p.userid,p.profileid to just check server availability ...

Very related issue ZBXNEXT-2381

(1) No translation string changes.

gcalenko CLOSED

(2) [D] API documentation should be updated the following way:

1. User.checkAuthentication method should be added to documentation (it is not currently listed right now). Currently method only allows one required string param "sessionid" that is Zabbix session id. Response to this call is in fact the same as response to User.login call with "userData" set to true (the difference is that user data is retrieved by session id and not by username / password). Documentation should also contain a note that calling this method will extend (prolong) user session.
2. From 4.0 this method will allow setting additional optional boolean param "extend" that is set to true by default. Setting it's value to false will allow to check session without extending it's lifetime.

What's new section should contain a note about API change - that method User.checkAuthentication now contains additional param.

As for auto-logout feature (listed in https://www.zabbix.com/documentation/4.0/manual/web_interface/user_profile), additional note is required that some leaving some pages open will cause extending of session lifetime and will not allow for auto-logout feature. All the pages that refresh data in a specific time interval (dashboards, graphs, screens, latest data, etc.) are performing extending of session, so auto-logout will not work with one of those pages open. This is true for all supported versions and not only for 4.0.

natalja.zabbix also can add additional note that Auto-logout can accept 0, which means Auto-logout will be disabled after profile settings update

natalja.cernohajeva: user.checkAuthentication method added to documentation for all supported versions:

2.2, user.checkAuthentication;

3.0, user.checkAuthentication;

3.4, user.checkAuthentication;

4.0, user.checkAuthentication (only difference from previous- "extend" parameter mentioning);

4.0, what's new (API improvements section);

User profile page, 4.0, Auto-logout parameter

User profile page 2.2, 3.0 and 3.4 Auto-logout parameter completed the same way as for 4.0.

RESOLVED

vjaceslavs Great! CLOSED 

Available in 4.0.0alpha9 (trunk) r82449

Could you please expand on what did the fix include and what is the expected behaviour?

For example, what of the following would now reset the user inactivity timer?

• server status check
• entering something in the global search field
• entering something in a filter field that performs lookup (like host field)
• clicking "filter" in any filter
• clicking on a menu entry
• accessing graph png directly

In general, a detailed description on how this feature is expected to work would be greatly appreciated.

sasha Look at the comment above. It was mistakenly hidden from users.

<richlv> Thank you, that' s great info. Are there any calls within Zabbix trunk currently that set this flag to false? While the comment talks about reloading graphs, what about the server status checks, do they reset the session?

<vjaceslavs> No they don't. All the server status checks as well as message related calls (not initiated by users).

So, user actions will still prolong the session - so submitting the forms (no matter it filters or not) will always prolong session lifetime. Exceptions for async calls (not directly initiated by user) are listed above.