Jump to content

Frequent log-out issues


spercy16
 Share

Recommended Posts

After doing a Google search for the issue I saw several previous posts mentioning this same issue but cannot figure out how to fix it and shouldn't have to spend a half hour trying to. ProcessWire frequently logs out of the admin area after less than five minutes. It shouldn't time-out ever, and if someone wanted that option for security reasons they should be able to enable it through the settings in their admin panel. In addition to it not being the default setting, users also shouldn't need to edit your config files manually to change these kinds of settings. Please fix the major issue in a future release. It's absured imho that developers don't realize the inconvenience it places on other people if they have to login every time they switch back to that page. It has also logged me out without warning without any visual que that it did so. If someone was working on paragraphs of content they could easily lose their work do to this bug as well... Please don't refer me to a forum with a dozen possible solutions to the issue and fix it yourselves. I'm sick of looking at them. It's your job to troubleshoot your software, not your users!

Link to comment
Share on other sites

Hi @spercy16

welcome to the forum! Could you please tell us a little bit more what you already tried (beside using google)? Also it would be great to hear a little about your experience with ProcessWire and WebDev in general so that we can provide better answers for you.

Link to comment
Share on other sites

I tried disabling my Firefox extensions, clearing my browser history, looking for settings in the admin panel along the lines "auto-logout after ... minutes", and looking for sessionFingerprint in the site/config.php file (there was no string was not in the file related to fingerprint at all). The last idea I found in this post but it didn't do me much good.

Link to comment
Share on other sites

I agree that this can be frustrating and steps to remedy this should be explained in the docs somewhere. More than a bug, I would call it an overzealous security measure that can cause logout issues depending on your environment.

Adding the following line in config.php fixes this issue for me:

/**
 * sessionExpireSeconds: how many seconds of inactivity before session expires
 *
 */
$config->sessionExpireSeconds = 86400;

If not, adding the following also helps:

$config->sessionFingerprint = false;

 

Link to comment
Share on other sites

1 hour ago, jacmaes said:

If not, adding the following also helps:


$config->sessionFingerprint = false;

it is worth trying other options before disabling this feature completely

 * 	0 or false: Fingerprint off
 * 	1 or true: Fingerprint on with default/recommended setting (currently 10). 
 * 	2: Fingerprint only the remote IP
 * 	4: Fingerprint only the forwarded/client IP (can be spoofed)
 * 	8: Fingerprint only the useragent
 * 	10: Fingerprint the remote IP and useragent (default)
 * 	12: Fingerprint the forwarded/client IP and useragent
 * 	14: Fingerprint the remote IP, forwarded/client IP and useragent (all). 

 

  • Like 2
Link to comment
Share on other sites

Thanks @jacmaes ! The first step didn't do much but the second one did. It's keeping me logged in for hours now instead of minutes. It's absolutely an issue and not a feature if it logs people out ever two minutes. It also should be adjustable in the admin settings regardless. Requiring users, whether or not their IT professionals, software developers, or noob end-users to edit .php files to adjust these kinds of time-outs, etc. is bad, lazy software engineering. Not that the ProcessWire CMS isn't good because it is, but developers definitely need to start integrating these settings into more organized, user-friendly UI's. I personally enjoy coding but it isn't always the easist way to do things. XAMPP has the same issue, minimal UI with config files you have to edit each time you want to change the active site (httpd.conf ---> find "htdocs\site" and change it to the active folder you want to use). When that could just as easily be a list of sites you could switch betwen.

Anyway, I really appreciate the help and quick responses. In general ProcessWire seems to be a very good and intuitive CMS and I intend to use it on most of my future websites (when possible) due to the low cost (awesome for non-profits work because it doesn't require a paid license) and because I'm able to quickly and easily integrate it into my designs. I was able to learn the basics of it in a matter of days and have a great workflow going with it now. Definitely happy to be using it instead of Wordpress, Drupal, or Joomla. There's no reason a CMS should be difficult to implement and manage as is the case with many of the others.

Link to comment
Share on other sites

5 hours ago, spercy16 said:

It's absolutely an issue and not a feature if it logs people out ever two minutes. It also should be adjustable in the admin settings regardless. Requiring users, whether or not their IT professionals, software developers, or noob end-users to edit .php files to adjust these kinds of time-outs, etc. is bad, lazy software engineering.

I don't want to dismiss your frustration — I get that problems like this one can be really annoying! — but I do want to stress a couple of points about this:

  • This is very much a needed (even required) security feature. I wouldn't recommend disabling it unless it's causing major issues, and even then there's a 99% chance that you should just fall back to one of the "less strict" options (as mentioned earlier). Without session fingerprinting attacks involving session hijacking are a very real possibility.
  • Providing UI way to disable any security feature is something I'd be wary of. Of course it depends on the situation, but generally decisions like these should be a) made by folks who have enough technical know-how to make educated decisions knowing what the consequences will be, and b) disabling any security feature should never, ever be something you can do "on a whim" — it needs to be a decision made after serious consideration.

Of course technical know-how and well considered decisions don't equal being a developer with access to site's config files or code, but the point is that providing an easy way to decrease the security of the system is definitely not something I'd consider a best practice. Quite the opposite, in fact.

Also, one more thing to consider is that if someone did somehow gain illegitimate access to the admin panel, providing an UI way to disable security features could potentially allow them to escalate the attack. (This particular setting is not the best example of that, but generally speaking.)

As for session fingerprinting: I've personally not had real problems with it, but I know others have, so not trying to dismiss this problem. It should, though, only happen if your IP or user agent string changes constantly, which is a pretty rare situation — though I'm not an expert in this subject. For me the only case where I've experienced something similar was while testing the site using developer tools, going between mobile UA string and regular UA string... 🙂

  • Like 6
Link to comment
Share on other sites

I dunno, I also get annoyed when I lose my session. It doesn’t happen every couple of minutes, but sometimes it still happens from one day to the next, even though I set the lifetime to a year. If ignoring IP and user-agent changes is so insecure, how does this forum do it, or pretty much all big websites for that matter?

Link to comment
Share on other sites

6 hours ago, Jan Romero said:

I dunno, I also get annoyed when I lose my session. It doesn’t happen every couple of minutes, but sometimes it still happens from one day to the next, even though I set the lifetime to a year.

It's very likely that your IP will change every now and then. My understanding is that regular ISPs often charge extra for static IP addresses and (at least around here) some don't even offer this sort of service to consumers.

When your IP changes and session fingerprinting (involving IP address) is enabled, you'll have to renew your login session. This is unrelated to session lifetime limit.

6 hours ago, Jan Romero said:

If ignoring IP and user-agent changes is so insecure, how does this forum do it, or pretty much all big websites for that matter?

That's a valid question!

In many services that I use the situation is exactly the same as with ProcessWire. if I disconnect from the company VPN (or first log in to the service and only then connect to the VPN) I'm forced to redo the login process, which in turn may involve new 2FA confirmation request. Most likely these services use a similar fingerprinting mechanism as ProcessWire.

On the other hand I wouldn't be terribly surprised if some big services skipped this step, especially if they happen to have many "consumer users". It can indeed be problematic for some users, and on the other hand session hijacking can also be mitigated using other measures. Storing the cookies securely and so that no one should get easy access to them is the most important step (obviously ProcessWire does that as well.) After that it's more about adding extra layers of security.

According to Invision Community documentation our forum software has IP address based fingerprinting enabled by default. They recommend keeping it on, unless it causes issues. Just to make sure I just tried "hijacking" my own session — and so far it looks like the forum doesn't really care about which IP I'm using, what my UA string look like, etc. I was able to "transfer" a session to another browser, and it continued to work even after IP address change.

It's important to keep in mind that lacking session fingerprinting is not a security issue in itself, more like a precaution that could've (and, in my opinion, almost always should've) been taken, yet wasn't. In this particular sense our forum could indeed be considered less secure than a typical ProcessWire site where fingerprinting is enabled 🙂

  • Like 4
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...