Jump to content
fbg13

Getting logged out constantly

Recommended Posts

I keep getting logged out after about 20 minutes and i got no idea why.

All session configs have default values PW v3.0.39.

Also in the session logs i have this:

Quote

User 'admin' - Error: Session fingerprint changed (IP address or useragent) (IP: 141.101.99.252)

Is that ip address supposed to be mine cause it's not?

Untitled.jpg

Share this post


Link to post
Share on other sites

I would try the session fingerprint config setting. Start by setting it to false and if that works you can try to make it more secure after that:

https://github.com/processwire/processwire/blob/36984e4a057268b7a45b848e1b3b6ee757583459/wire/config.php#L241

Obviously make the change in your site/config.php file, not the wire one I pointed to.

  • Like 7

Share this post


Link to post
Share on other sites

$config->sessionFingerprint set to 0 or 8 seems to work but 1 and 2 keeps logging me out.

My ip is not changing while the log out happens (not to my knowledge).

The sessions directory has ~12k files in it. Is that normal?

Quote

User 'admin' - Error: Session fingerprint changed (IP address or useragent) (IP: 173.245.53.109)

Can someone explain the above message? My ip is not 173.245.53.109

Share this post


Link to post
Share on other sites

Some race condition on the server with a shared session directory perhaps? In that case, enabling SessionHandlerDatabase should instantly get rid of the problem.

Looking closer, two of the three IPs in the log belong to cloudflare, so if you're using their CDN to speed up the site, this could be a misconfiguration there too. Is the backend routed through Cloudflare? Could it be that there's an option to preserve cookies active? I've got no experience with Cloudflare, but I have seen some very dangerous options to that extent available with Akamai.

  • Like 4

Share this post


Link to post
Share on other sites

Yes it was CloudFlare. I'll stick with only the user agent for the session fingerprint.

1 hour ago, BitPoet said:

Some race condition on the server with a shared session directory perhaps?

Sorry but i don't understand what you mean. Are you referring to my sessions directory?

Share this post


Link to post
Share on other sites
10 hours ago, fbg13 said:

Sorry but i don't understand what you mean. Are you referring to my sessions directory?

Yes, that. It's been ages since I ran something in such a scenario, but strange session inconsistencies like yours weren't unheard of back then when multiple web server instances shared the same session directory and servers came under heavy load. I never managed to find the exact culprit, but I believe that there were both randomness issues in /dev/(u)random and race conditions in the routines that check whether a session id already exists in the file system.

Share this post


Link to post
Share on other sites

The "shared session directory" part confuses me; we're both talking about /site/assets/sessions right?

Or do you mean the sessions directory in a shared hosting environment?

Share this post


Link to post
Share on other sites
On 11/8/2016 at 0:16 AM, adrian said:

I would try the session fingerprint config setting. Start by setting it to false and if that works you can try to make it more secure after that:

https://github.com/processwire/processwire/blob/36984e4a057268b7a45b848e1b3b6ee757583459/wire/config.php#L241

Obviously make the change in your site/config.php file, not the wire one I pointed to.

I ran into an issue a Wednesday, where a client on satellite getting logged out every few seconds. The above fixed it, however, I had to change the config.php file in the /wire/ directory. I didn't see the setting in the /site/config.php, so I assume that it's due to changes in PW since this post was originally written.

Thanks for the tip @adrian

  • Like 1

Share this post


Link to post
Share on other sites
32 minutes ago, holmescreek said:

 I didn't see the setting in the /site/config.php

You add it yourself.

  • Like 4

Share this post


Link to post
Share on other sites

I am not 100% sure if or to what degree my issue is related. Apologies if this turns out to be thread hijacking:

I get logged out constantly at certain wifi locations; '_The Cloud' wifi point that many pubs in London have and, I think, all similar public wifi systems that open a browser where you have to leave your email or click on a connect button if you are a returning customer.

Does that sound familiar to anyone? Is there a way to make my PW sites work at these locations?

Is the solution somewhere in the previous posts here? I have trouble following the thread. 'Enabling SessionHandlerDatabase should instantly get rid of the problem'? How would I do that? 'session fingerprint config setting'?

Share this post


Link to post
Share on other sites

@modifiedcontent From /wire/config.php file, to change it you add the config option to /site/config.php

/**
 * Use session fingerprint?
 * 
 * Should login sessions be tied to IP and user agent?
 * IP fingerprinting may be problematic on dynamic IPs. 
 * Below are the possible values: 
 * 
 * 	0 or false: Fingerprint off
 * 	1 or true: Fingerprint on with default/recommended setting (currently 10). 
 * 	2: Fingerprint only the remote IP
 * 	4: Fingerprint only the forwarded/client IP (can be spoofed)
 * 	8: Fingerprint only the useragent
 * 	10: Fingerprint the remote IP and useragent (default)
 * 	12: Fingerprint the forwarded/client IP and useragent
 * 	14: Fingerprint the remote IP, forwarded/client IP and useragent (all). 
 * 
 * If using fingerprint in an environment where the user’s 
 * IP address may change during the session, you should
 * fingerprint only the useragent, or disable fingerprinting.
 *
 * If using fingerprint with an AWS load balancer, you should 
 * use one of the options that uses the “client IP” rather than 
 * the “remote IP”, fingerprint only the useragent, or disable 
 * fingerprinting.
 * 
 * @var int
 *
 */
$config->sessionFingerprint = 1;

Session Handler Database, in your PW admin go to modules, install tab and there it is.

Quote

Installing this module makes ProcessWire store sessions in the database rather than the file system. Note that this module will log you out after install or uninstall.

 

  • Like 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...