Jump to content
gebeer

Loosing session in certain network environments

Recommended Posts

Hello,

I have a situation were a user cannot logon to several different PW installs fromdifferent machines on his workplace network.

Sometimes the initial logon is working but when navigating the PW backend he gets thrown out. Sometimes even the initial logon is not working and he is redirected too many times and the browser throws a redirection error.

This points to PW loosing it's session. But the same sites are working fine when accessed from within other network environments.

The user's workplace network has some pretty tight security (firewall) restrictions in place that prevent PW keeping it's session.

I don't know enough about network security so I can't tell what exactly could cause that problem. I checked in the browser settings to make sure session cookies are allowed and there.

Has anyone ever experienced issues like that and would there be a way to make PW keep it's session under these circumstances?

  • Like 1

Share this post


Link to post
Share on other sites

i had something similar 2 times until now...

 

  • Like 1

Share this post


Link to post
Share on other sites

That would have been my guess as well. Nine out of ten times, session fingerprinting is the cause of such problems, especially with corporate networks where outgoing IP addresses may change on the fly and security solutions might change request headers to make tracking harder.

  • Like 3

Share this post


Link to post
Share on other sites

thank you both for your feedback.

Is there anything we can do to work around those security restrictions?

EDIT: guess it has something to do with $config->sessionFingerprint setting. I'll play around with that.

  • Like 1

Share this post


Link to post
Share on other sites

unfortunately i can only quote soma here. though it would be interesting to hear @ryan s opinion in this case...

On 20.11.2015 at 7:38 PM, Soma said:

There are no alternatives afaik. Fingerprint is sometimes too much security and creates more problems than it solves.

Share this post


Link to post
Share on other sites

@bernhard I'll see what I can do with the $config->sessionFingerprint settings to avoid these problems. Although I don't feel comfortable messing with security features...

  • Like 1

Share this post


Link to post
Share on other sites

 

1 hour ago, BitPoet said:

especially with corporate networks where outgoing IP addresses may change on the fly and security solutions might change request headers to make tracking harder.

Reminds me of this one:

Is it a similar or same issue? I'm not quite sure, that's why I'm asking.

"They have two VDSL lines into the building that feed their router through a load balancer. It seems that their setup meant that responses to outbound traffic did not necessarily come back in via the same line."

  • Like 1

Share this post


Link to post
Share on other sites
2 hours ago, BitPoet said:

[...] especially with corporate networks [...]

This. We've ran into this on so many occassions I have disabled IP addresses from the fingerprint in all our configs.

1 hour ago, gebeer said:

Although I don't feel comfortable messing with security features

I initially felt the same. Then I realised: you are taking one brick of the security wall. There are probably more issues with human errors like people with bad passwords or outdated computers prone to trojans and such.

  • Like 1

Share this post


Link to post
Share on other sites

The problem in my case is that this project will have more than 2000 users that will logon from all over the world.

So I guess I will have to disable session fingerprinting to make sure that everyone can connect without issues.

  • Like 2

Share this post


Link to post
Share on other sites
2 hours ago, gebeer said:

disable session fingerprinting

You don't entirely have to disable it, just fingerprint the browser for instance. There are several options. See this commit in wire/config.php by ryan.

  • Like 3

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By derelektrischemoench
      Hi guys,
      I'm facing a somewhat strange issue here which I can't quite wrap my head around. 
      I have a PW site in development which runs on three machines simultaneously, one staging server which is accessible as a preview instance for my customer, my PC and my laptop. 
      I have three completely identical settings on each of the three machines (same apache version, same php version, same codebase, same database); however on my PC I am unable to log into the backend. I get no error message or anything, when I try to login; i just get redirected to the login  page. I have already enabled database driven sessions (I enabled them on my laptop, then I dumped the database and copied it to my pc); I have cleared the cache directory; I cleared the sessions in the database; I cleared my browser caches, I tried different browsers, all to no avail; I am unable to login when using my pc, the instances all have the same .htaccess.
      Is there something I'm missing here or does anyone have a clue as to what my issue here might be? I'm using processwire 3.0.123
      Thanks for any input, greetings
      derelektrischemoench
       
      //edit: I've noticed something interesting; despite the directories of my web folders being the same layout; when I open the admin page i get a 404 on the processwire/ resource in the networks panel of chrome; on my laptop I get a  200.... I guess this is where my problem is; but why?
       
       
    • By derelektrischemoench
      Hi guys,
      I'm facing a somewhat strange issue here which I can't quite wrap my head around. 
      I have a PW site in development which runs on three machines simultaneously, one staging server which is accessible as a preview instance for my customer, my PC and my laptop. 
      I have three completely identical settings on each of the three machines (same apache version, same php version, same codebase, same database); however on my PC I am unable to log into the backend. I get no error message or anything, when I try to login; i just get redirected to the login  page. I have already enabled database driven sessions (I enabled them on my laptop, then I dumped the database and copied it to my pc); I have cleared the cache directory; I cleared the sessions in the database; I cleared my browser caches, I tried different browsers, all to no avail; I am unable to login when using my pc, the instances all have the same .htaccess.
      Is there something I'm missing here or does anyone have a clue as to what my issue here might be? I'm using processwire 3.0.123
      Thanks for any input, greetings
      derelektrischemoench
       
       
    • By Peter Knight
      How do you guys handle large session tables when sessions are being recorded to the database?
      I notice one of my sites has a session table of over 14MB 
      Am I missing a way in the Admin or a module to auto-remove any sessions older than X days?
      Thanks
       
    • By helmut2509
      In my PW-Application there is currently no session timeout.
      I want to set the user session to 60 minutes which means that after 60 minutes of inactivity the user will be redirected to the homepage.
      so I added the following entry to my config.php:
      $config->sessionExpireSeconds = 120; (120 seconds is just for testing).
      But after five minutes of inactivity I am still logged in, there is no redirection.
      Is there anything wrong or did I miss something?
      In php.ini I have the entry:
      session.cookie_lifetime = 3600
    • By celfred
      Hello,
      I'm facing a weird issue here. I have a page loaded with this code inside (my comments in line ends) :

      if ($session->allPlayers) { // Set in a head.inc file. I have also a $session->set('allTeams', $allTeams); in my head.inc   $allPlayers = $session->allPlayers; } else {   $allPlayers = getAllPlayers($user, false);   $session->set('allPlayers', $allPlayers); } bd($session->getAll()); // HERE, I get a number of 11 variables which is what I expect In the same page, I have a link pointing to ajaxContent.php that loads stuff via Ajax.
      I just write this in my ajaxContent.php to test :

      bd($session->getAll()); // HERE, I get only 9 variables. All my newly set $session variables ($allTeams and $allPlayers) are not conveyed to ajaxContent.php ??? Would you have any idea why is that ??? Another thing : I have a $session->headMenu set in my head.inc, and this one works fine. I can retrieve it in my ajaxContent.php page.
      I've tried cleaning all caches but it doesn't change anything 😞 
      At first, I expected it to be a 15-minute update to my site... It turns out to be a 2-hour issue and I'm still  stuck.
      Thanks for your ideas ! 
×
×
  • Create New...