auto_logout

The Auto Logout module for Drupal 10/11 automatically logs out inactive users after a configurable period of inactivity, helping improve site security and session management. It provides a fully themeable warning dialog, role-based timeout controls, cross-tab synchronization, and a standalone embeddable JavaScript library for React, Vue, Angular, and headless frontends. The module is designed for both traditional Drupal sites and modern decoupled applications that require secure session expiration handling.

Features

• Automatic session timeout: Automatically logs out inactive users after a configurable inactivity period.
• Themeable warning dialog: Displays a customizable countdown dialog before logout using Twig templates and CSS variables.
• Six built-in dialog layouts: Includes Centered Modal, Toast Notification, Bottom Banner, Sidebar Panel, Fullscreen Takeover, and Custom/Unstyled modes.
• Role-based timeout policies: Configure different inactivity timeouts for different Drupal roles.
• User-specific overrides: Allow users to customize or disable auto logout within administrator-defined limits.
• Cross-tab synchronization: Keeps logout timers synchronized across multiple browser tabs using BroadcastChannel and localStorage fallback.
• Headless / SPA support: Includes a standalone embeddable JavaScript library compatible with React, Vue, Angular, and plain HTML applications.
• Server-side session validation: Optional keep-alive polling verifies session validity directly with Drupal.
• Path exclusions: Exclude specific routes such as admin pages, APIs, or batch operations.
• Redirect to previous page: After re-login, users can automatically return to the page they were viewing before logout.
• Accessible and responsive UI: WCAG 2.1 AA compliant with keyboard navigation, focus trapping, dark mode, and reduced motion support.
• Zero JavaScript dependencies: Built entirely with vanilla JavaScript and Drupal core APIs.

Installation

Install the module using Composer (recommended):

composer require drupal/auto_logout

Enable the module:

drush en auto_logout

Clear Drupal caches:

drush cr

Post-Installation

After enabling the module:

1. Navigate to Configuration » People » Auto Logout.
2. Enable the module globally and configure the inactivity timeout duration.
3. Customize the warning dialog text, layout style, and redirect behavior.
4. Optionally configure:
   • Role-based timeout policies
   • User override settings
   • Excluded paths
   • Cross-origin frontend support
   • Debug logging
5. Grant permissions under People » Permissions:
   • administer auto logout
   • bypass auto logout
   • change auto logout own settings

The warning dialog is fully themeable using Twig template overrides and custom CSS. External applications can connect using the included REST API endpoints and embeddable JavaScript library.

Additional Requirements

This module requires:

• Drupal 10.x or 11.x
• PHP 8.1 or higher
• Drupal core User and System modules

No third-party JavaScript libraries or external services are required.

Recommended modules/libraries

• Key module: Useful for securing external API credentials when using decoupled frontends.
• JSON:API: Recommended for headless Drupal integrations.
• Simple OAuth: Useful for decoupled authentication workflows.
• Advanced CSS/Theme frameworks: Optional for creating custom branded dialog layouts.

Similar projects

• Automated Logout —
  Provides inactivity logout functionality for Drupal sites. Auto Logout differentiates itself with modern UI layouts, cross-tab synchronization, embeddable frontend support, REST APIs, and a fully themeable Twig-rendered dialog system.
• Session Limit —
  Focuses primarily on concurrent session restrictions rather than inactivity-based logout workflows.

Supporting this Module

Found a bug or have an idea for improvements such as additional layouts, SSO integrations, or enhanced session analytics? Please open an issue in the project issue queue and contribute feedback, patches, or feature requests.

Community contributions, testing, and documentation improvements are always welcome.

Community Documentation

• Project documentation and examples can be added here.
• Video walkthroughs and setup tutorials are welcome.
• Example integrations for React, Vue, Angular, and headless Drupal applications can also be included.

Security Focus

Auto Logout is designed for websites and applications where session security is critical, including enterprise dashboards, healthcare systems, financial platforms, educational portals, government systems, and headless Drupal applications.

The module ensures that inactivity policies are enforced server-side while still providing a modern, user-friendly warning experience.