Admin session logs out when wireless connection has hiccup

[Peter Falkenberg Brown]

Dear All,

Tonight my wife and I were posting a long article in our new ProcessWire install of the Significato Journal.

We logged in on her laptop, with a wireless connection, and started on an article.

After adding all the field data, and then after working on a long body text paste and cleanup, we hit "Publish" and were brought to the Login page, much to our dismay, because after we logged in again, all the field data and body text was lost (although the images were still connected to the article).

It happened once more during the 2 hour session, but that time I had hit Ctrl-A, Ctrl-C in the body text field, before I hit Save, so that I was able to paste the body text in again.

My impression of the wire_challenge cookie is that it lasts as long as the browser is open (which defines a session). Is that correct?

However, I think that the wire_challenge cookie gets deleted whenever there's a connection hiccup.

I confirmed this in a new session on my laptop. I use an encrypted VPN called Private Internet Access. Using that, I logged into PW, and then disconnected from the VPN. My regular wireless connection was still active, but I had to re-login. When I looked at the cookies, the wire_challenge cookie was missing.

Perhaps my wife's laptop (which did not have the VPN active at that time) experienced a connection glitch with the primary wireless connection.

Or... could it be something else?

Is there any way to stay logged in, even if the VPN connection, or main wireless connection, dies?

That is, the *browser* is still open, so I would have thought that the browser would maintain the cookie.

It's *very* disconcerting to lose the connection after a major edit, when one hits Save.

I don't remember this happening in all the years I used MODX, but it's happened a number of times with ProcessWire.

EDIT: I just confirmed that when I log into MODX Evo, and then disconnect my VPN, I stay logged into MODX, and can keep working.

However, I re-confirmed that with PW, doing the same thing, I need to re-login after disconnecting my VPN.

Thanks for any tips.

Peter

[Craig]

This could be down to the IP address of your connection.

The ProcessWire config variable 'sessionFingerprint' ensures consistency between IP address and user agent of the session information. This helps to prevent "session fixation" - whereby malicious users could potentially use your session cookie information to impersonate you and gain unauthorised access to the site.

To determine if this is the cause, try changing sessionFingerprint to false in your site's config.php file, and carry out your VPN connection test again as you described.

[ryan]

Craig is correct, as this is most definitely related to the sessionFingerprint, as your IP address is clearly changing when the VPN disconnects and reconnects. It sounds like in your case, you should disable that feature by setting it to false in your /site/config.php file. I'm 99% sure that'll fix the issue you are experiencing. 

[Peter Falkenberg Brown]

Dear Craig and Ryan,

Yes, that solved it with the VPN. Thanks! I should have noticed that.

If the non-VPN cable connection perhaps assigned a different dynamic IP when it hiccuped, that would also be solved, I presume.

If it didn't assign a different IP, I'm not sure. We'll see how it goes.

Thanks again.

Peter