Jump to content

Chrome dev tools device mode causes PW logout?


Robin S
 Share

Recommended Posts

For some reason enabling the device mode in the Chrome developer tools logs me out of the ProcessWire admin. I'm using Windows 10, Chrome 70.0.3538.102.

Steps to reproduce:

1. Login to PW admin.

2. View the site frontend in a new tab (e.g. Home page).

3. Open the Chome dev tools, enable device mode, and reload the Home page:

2018-11-16_112754.png.c3473aed1101d966e19f987a017d0d5d.png

4. Switch to the admin tab (where dev tools is not open) and reload - you are now logged out.

Can anyone else confirm this? Is there a setting in the dev tools that would avoid this? Or is this logout behaviour something that could/should be fixed in the PW core?

  • Like 3
Link to comment
Share on other sites

Just from the bit of reading I was doing, each device has a different HTTP_USER_AGENT and therefore the sessions no longer match (between chrome and the device agent). A solution someone came up with on stackoverflow was to store the user agent in the session and check against it once the switch has been made. Perhaps someone better than I could give a better way to handle it in a PW sense.

https://stackoverflow.com/questions/45532678/chrome-toggle-different-devices-view-destroys-the-session

  • Like 2
Link to comment
Share on other sites

8 minutes ago, louisstephens said:

each device has a different HTTP_USER_AGENT and therefore the sessions no longer match

Thanks, makes sense. So a couple of solutions would be:

Use an incognito window when working with dev tools device mode.

Or set $config->sessionFingerprint = false in /site/config.php

These are okay but still kind of annoying. The incognito solution is a bit less convenient than working within the current browser window and easy to accidentally forget when opening view links from Page Edit / Page List. And I wouldn't want to forget the sessionFingerprint setting and leave it disabled as it reduces security a bit.

I wonder if there is some way the PW session fingerprint feature could detect and allow for user agent changes that specifically come from the Chrome dev tools? 

  • Like 1
Link to comment
Share on other sites

This seems like it could be reasonable solution: disable session fingerprint when a site is on localhost. That way when developing locally the user agent is allowed to change without causing a logout.

In /site/config.php:

if(in_array($_SERVER['SERVER_ADDR'], ['127.0.0.1', '::1'])) {
	$config->sessionFingerprint = false;
}

 

  • Like 3
Link to comment
Share on other sites

If you run multiple PW under the same hostname, then setting $config->sessionName to something unique is recommended as well as it prevents one installations logged in state from clashing with another (and other weird admin caching things).  I usually set its value to $config->dbName since that's easily unique enough.

$config->sessionName = $config->dbName;
$config->sessionFingerprint = 2;

 

  • Like 1
Link to comment
Share on other sites

5 hours ago, Jonathan Lahijani said:

If you run multiple PW under the same hostname, then setting $config->sessionName to something unique is recommended as well as it prevents one installations logged in state from clashing with another (and other weird admin caching things).  I usually set its value to $config->dbName since that's easily unique enough.


$config->sessionName = $config->dbName;
$config->sessionFingerprint = 2;

 

Thanks @Jonathan Lahijani for that tidbit. I had been "struggling" with that for awhile, and this makes life so much easier.

Link to comment
Share on other sites

8 minutes ago, louisstephens said:

I had been "struggling" with that for awhile, and this makes life so much easier.

I recommend using a virtual host for each local project - it avoids little issues like this and will be more consistent with how the site will operate when migrated to a remote host. It's not difficult to set up virtual hosts manually, although if you use a tool like Laragon it's an absolute breeze because it automatically creates virtual hosts for every project in the document root: https://laragon.org/docs/pretty-urls.html

  • Like 3
Link to comment
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...