Your issue isn't caused by CB, but by how Joomla handles database session clean up. Joomla used to purge expired database sessions on every page load, but that was changed in 3.8.4 explained in more detail below. Basically they changed Database session garbage collection to be based off PHP session garbage collection and specifically depends on session.gc_probability being set. If it's set to 0 it means PHP session garbage collection will never happen and thus sessions never expire.

github.com/joomla/joomla-cms/pull/19548

A plugin was added at some point to help with this though. Within Extensions > Plugins be sure "System - Session Data Purge" exists, is published, and public access. If it isn't then database session data will never clear unless PHP session garbage collection is configured. In addition to this it has a probability setting. By default there's only a 1% chance a page load triggers a session clean up. You can adjust this within the plugin using "Probability" and "Divisor" parameters.

Alternatively the recommended approach is to switch to PHP based session handling within Joomla global configuration change "Session Handler" from Database to PHP and just let PHP handle sessions.

More than likely everything is already setup correctly and it's just the 1% probability not clearing the session. I don't think you have anything to worry about. If you need strict session clean up behavior you'll want to setup a CRON task to call Joomlas CI URL for session clean up (sorry, I don't know what it is).

CB Connect cannot have any impact on sessions. CB does not manage sessions. The users session is still there because they left the site while logged in, the session expired, and is now waiting to be cleaned up by garbage collection behavior.

This applies to all login sessions as that's the behavior of Joomlas session clean up processes now. There's a 1% chance per page load that expired sessions will be cleared. I've confirmed this using regular login and CB Connect login sessions. You are only noticing it now because Joomla only recently changed this behavior in 3.8.4 and all releases before that the session garbage collection would be applied to every page load.

If you want sessions to always purge on every page load then edit "System - Session Data Purge" in Extensions > Plugins and set "Probability" and "Divisor" both to 100. I don't recommend doing this though. Again, the session is expired it just is not cleared from the database (which is 100% handled by Joomla). If you're using PHP sessions then be sure your PHP session garbage collection is even turned on via session.gc_probability and session.gc_divisor INI settings.

Tested facebook login (cb connect). The session never ends for the user. After 30 minutes he can still post, edit do anything he wants. Session is not expired. It is not a matter of garbage. The user did not close the page and left. I was just sitting there for 30 minutes waiting to see if the session will expire.

Your test will never work like that. They won't expire due to keepalive (believe default is it refreshes every 5 minutes). It's just sitting there refreshing its timestamp. If the cookie for the session still exists and the session still exists in the database or in PHP they'll still be logged in as well. This means you need to completely close the browser, let the session expire, then open your browser. Assuming garbage collection triggered that session won't exist anymore and they won't be logged in.

session.gc_probability=1
session.gc_divisor = 100

System - Session Data Purge enabled 1/100

This means there is a 1% chance session garbage collection will trigger on a page load.

Is there a chance that facebook does not allow the session to expire by setting browser cookies or something like that when logging in?

No, again CB has no control over sessions.


This isn't really an issue that needs solving or even an issue. Simply leave the sessions alone and let Joomla handle them in time.