fbg13 Posted November 8, 2016 Share Posted November 8, 2016 I keep getting logged out after about 20 minutes and i got no idea why. All session configs have default values PW v3.0.39. Also in the session logs i have this: Quote User 'admin' - Error: Session fingerprint changed (IP address or useragent) (IP: 141.101.99.252) Is that ip address supposed to be mine cause it's not? Link to comment Share on other sites More sharing options...
adrian Posted November 8, 2016 Share Posted November 8, 2016 I would try the session fingerprint config setting. Start by setting it to false and if that works you can try to make it more secure after that: https://github.com/processwire/processwire/blob/36984e4a057268b7a45b848e1b3b6ee757583459/wire/config.php#L241 Obviously make the change in your site/config.php file, not the wire one I pointed to. 8 Link to comment Share on other sites More sharing options...
fbg13 Posted November 8, 2016 Author Share Posted November 8, 2016 $config->sessionFingerprint set to 0 or 8 seems to work but 1 and 2 keeps logging me out. My ip is not changing while the log out happens (not to my knowledge). The sessions directory has ~12k files in it. Is that normal? Quote User 'admin' - Error: Session fingerprint changed (IP address or useragent) (IP: 173.245.53.109) Can someone explain the above message? My ip is not 173.245.53.109 Link to comment Share on other sites More sharing options...
BitPoet Posted November 8, 2016 Share Posted November 8, 2016 Some race condition on the server with a shared session directory perhaps? In that case, enabling SessionHandlerDatabase should instantly get rid of the problem. Looking closer, two of the three IPs in the log belong to cloudflare, so if you're using their CDN to speed up the site, this could be a misconfiguration there too. Is the backend routed through Cloudflare? Could it be that there's an option to preserve cookies active? I've got no experience with Cloudflare, but I have seen some very dangerous options to that extent available with Akamai. 4 Link to comment Share on other sites More sharing options...
fbg13 Posted November 8, 2016 Author Share Posted November 8, 2016 Yes it was CloudFlare. I'll stick with only the user agent for the session fingerprint. 1 hour ago, BitPoet said: Some race condition on the server with a shared session directory perhaps? Sorry but i don't understand what you mean. Are you referring to my sessions directory? Link to comment Share on other sites More sharing options...
BitPoet Posted November 9, 2016 Share Posted November 9, 2016 10 hours ago, fbg13 said: Sorry but i don't understand what you mean. Are you referring to my sessions directory? Yes, that. It's been ages since I ran something in such a scenario, but strange session inconsistencies like yours weren't unheard of back then when multiple web server instances shared the same session directory and servers came under heavy load. I never managed to find the exact culprit, but I believe that there were both randomness issues in /dev/(u)random and race conditions in the routines that check whether a session id already exists in the file system. Link to comment Share on other sites More sharing options...
fbg13 Posted November 9, 2016 Author Share Posted November 9, 2016 The "shared session directory" part confuses me; we're both talking about /site/assets/sessions right? Or do you mean the sessions directory in a shared hosting environment? Link to comment Share on other sites More sharing options...
BitPoet Posted November 9, 2016 Share Posted November 9, 2016 The last one's the one I'm talking about. Link to comment Share on other sites More sharing options...
fbg13 Posted November 9, 2016 Author Share Posted November 9, 2016 OK. Thank you guys for helping me with this very annoying thing. Link to comment Share on other sites More sharing options...
John W. Posted April 28, 2017 Share Posted April 28, 2017 On 11/8/2016 at 0:16 AM, adrian said: I would try the session fingerprint config setting. Start by setting it to false and if that works you can try to make it more secure after that: https://github.com/processwire/processwire/blob/36984e4a057268b7a45b848e1b3b6ee757583459/wire/config.php#L241 Obviously make the change in your site/config.php file, not the wire one I pointed to. I ran into an issue a Wednesday, where a client on satellite getting logged out every few seconds. The above fixed it, however, I had to change the config.php file in the /wire/ directory. I didn't see the setting in the /site/config.php, so I assume that it's due to changes in PW since this post was originally written. Thanks for the tip @adrian 1 Link to comment Share on other sites More sharing options...
fbg13 Posted April 28, 2017 Author Share Posted April 28, 2017 32 minutes ago, holmescreek said: I didn't see the setting in the /site/config.php You add it yourself. 4 Link to comment Share on other sites More sharing options...
modifiedcontent Posted June 1, 2017 Share Posted June 1, 2017 I am not 100% sure if or to what degree my issue is related. Apologies if this turns out to be thread hijacking: I get logged out constantly at certain wifi locations; '_The Cloud' wifi point that many pubs in London have and, I think, all similar public wifi systems that open a browser where you have to leave your email or click on a connect button if you are a returning customer. Does that sound familiar to anyone? Is there a way to make my PW sites work at these locations? Is the solution somewhere in the previous posts here? I have trouble following the thread. 'Enabling SessionHandlerDatabase should instantly get rid of the problem'? How would I do that? 'session fingerprint config setting'? Link to comment Share on other sites More sharing options...
fbg13 Posted June 2, 2017 Author Share Posted June 2, 2017 @modifiedcontent From /wire/config.php file, to change it you add the config option to /site/config.php /** * Use session fingerprint? * * Should login sessions be tied to IP and user agent? * IP fingerprinting may be problematic on dynamic IPs. * Below are the possible values: * * 0 or false: Fingerprint off * 1 or true: Fingerprint on with default/recommended setting (currently 10). * 2: Fingerprint only the remote IP * 4: Fingerprint only the forwarded/client IP (can be spoofed) * 8: Fingerprint only the useragent * 10: Fingerprint the remote IP and useragent (default) * 12: Fingerprint the forwarded/client IP and useragent * 14: Fingerprint the remote IP, forwarded/client IP and useragent (all). * * If using fingerprint in an environment where the user’s * IP address may change during the session, you should * fingerprint only the useragent, or disable fingerprinting. * * If using fingerprint with an AWS load balancer, you should * use one of the options that uses the “client IP” rather than * the “remote IP”, fingerprint only the useragent, or disable * fingerprinting. * * @var int * */ $config->sessionFingerprint = 1; Session Handler Database, in your PW admin go to modules, install tab and there it is. Quote Installing this module makes ProcessWire store sessions in the database rather than the file system. Note that this module will log you out after install or uninstall. 2 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now