Community Support Forums

I noticed something a little unsettling and wanted to know if it's of any concern or if there is some sort of security feature in place (ie. login timeout) to prevent it.

I found that if a user is logged in when their EOT expires, they will still have access to the site for as long as they remain logged in. As long as they don't clear their cookies or sign out the EOT will never take effect (until they logout).

I know there is a plugin for auto-logout of inactive users but assuming you aren't using something like that, does s2member have anything built-in to prevent this?

http://wordpress.org/extend/plugins/auto-logout/

Thanks for reporting this important issue.

Sorry for any confusion. That's NOT the case.
WordPress/s2Member pulls the User object on each page view. When an EOT occurs, it would take affect immediately; even if the User/Member is already logged-in. By default, s2Member will only demote the Member back down to a Free Subscriber. So this means the User would continue to have access to the Login Welcome Page, as do all Users, regardless of Level. However, they would immediately lose access to all paid areas of the site, protected at Level #1 or higher. This is also true for any Custom Capabilities. The only thing that *could* have a negative effect on this, is if you are using some advanced database caching plugin, which might take a bit longer to renew it's DB cache. In that case, it could take several minutes before the User/Member actually loses paid access.