Login Security problem ?

I must say I don't quite follow your scenario. If you need to perform some extra validation like expiration date of the account you need to do that in BeforeLogin event and deny the login if validation didn't pass.

I think you dont understand. I sent a video to your support. It shows that the After Successful login is not triggered, if "remember me" is selected
Here is the video : https://youtu.be/gIl8eLRkCdA

Again, if you need to check anything that may prevent user from logging in - it needs to be done in the BeforeLogon event. This is how it is supposed to work.

Is this complicated to explain. I Try it different to explain what happens :

1. no code in before and after login !
   
2. The customer has a link on his desktop <domain>/login.php
   
3. He made once a successful login with remember password
   
4. When he makes a login he comes direct in the menu.php , without login page. (phprunner do that, not me)
   
5. Now I put in before login : return false ,only this code , forget after login, there is now nothing.
   
6. Customer is clicking on his link on the desktop <domain>/login.php
   
7. Customer comes direct in menu.php !
   
8. You can put redirect, exit in before login . It dont work , customer ends in menu.php
   Try it !
   My problem now is that after a "free trial" period of my customers website, all people whith "remember password" checked , still have access without paying.

1. no code in before and after login !
   
2. The customer has a link on his desktop <domain>/login.php
   
3. He made once a successful login with remember password
   
4. When he makes a login he comes direct in the menu.php , without login page. (phprunner do that, not me)
   
5. Now I put in before login : return false ,only this code , forget after login, there is now nothing.
   
6. Customer is clicking on his link on the desktop <domain>/login.php
   
7. Customer comes direct in menu.php !
   
8. You can put redirect, exit in before login . It dont work , customer ends in menu.php
   Try it !
   My problem now is that after a "free trial" period of my customers website, all people whith "remember password" checked , still have access without paying.
   

I understand what you are saying... If a user doesn't log-out and used the remember me option, they will be logged it next time they visit the page.
You will need to delete the "remember me" cookie..

Have a look here... https://www.codeproject.com/Questions/423515/clearing-cookies-on-closing-browser-tab
Solution 2 this javascript may work for you (duplicated below)

placed in the header/ footer on the editor page ?

-----------------------------------------
<body onunload="deleteAllCookies()">
function deleteAllCookies() {

var cookies = document.cookie.split(";");
for (var i = 0; i < cookies.length; i++) {

var cookie = cookies[i];

var eqPos = cookie.indexOf("=");

var name = eqPos > -1 ? cookie.substr(0, eqPos) : cookie;

document.cookie = name + "=;expires=Thu, 01 Jan 1970 00:00:00 GMT";

}

}
------------------------------------------------------------------------------
I haven't been able to get this to work yet in javascript, but I think its what you need to do after determining where to place the code.
However, You could create a non-persistent cookie and check for it
See these functions:
setCookie

get cookie value

To set a cookie for 20 min you can do this:
setcookie("TestCookie", true, time() + (60 20)); // 60 seconds ( 1 minute) 20 = 20 minutes

Check if cookie is set:
if(isset($_COOKIE['TestCookie']) && $_COOKIE['TestCookie'] == true)

{

// IS SET and has a true value (logged in)

}
else redirect to logon page

It's not triggered because you're still logged in...

For what you want to achieve you need a different process. First step would be, as I understand your thing, to set a session timeout, then do your expire test in the before successful login event.

We have checked the code and it appears that BeforeLogin event will not be called in this scenario but AfterSuccessfulLogin event will.
So in AfertSuccessfulLogin event, you need to add the code that checks if the user still have access and if they don't log them out and redirect back to the login page.
How to log the user out:

https://xlinesoft.com/phprunner/docs/secapi_logout.htm

Thanks for your help. I will try it.
I like that you can stay logged in , especially on a mobile device.

Maybe a new event like after_auto_login could be useful in the future.
In pressure of time I made a workaround and integrated the validations of the customer in the

before process event in my most important listpage of the project.
I can put the validation in a separate php file and include it in several before process events too.

But for now its ok.
I think, it would be good to add more informations to the documentation and help file about the logic

of the login process.
rg

J.K
Edit :

On a mobile android device it seems that the browser stays "open" in the background for days, depending of your memory size.

Most people dont close the browser, he goes in the background when you click the home or back button.