Jump to content

Frequent log-out issues


Recommended Posts

After doing a Google search for the issue I saw several previous posts mentioning this same issue but cannot figure out how to fix it and shouldn't have to spend a half hour trying to. ProcessWire frequently logs out of the admin area after less than five minutes. It shouldn't time-out ever, and if someone wanted that option for security reasons they should be able to enable it through the settings in their admin panel. In addition to it not being the default setting, users also shouldn't need to edit your config files manually to change these kinds of settings. Please fix the major issue in a future release. It's absured imho that developers don't realize the inconvenience it places on other people if they have to login every time they switch back to that page. It has also logged me out without warning without any visual que that it did so. If someone was working on paragraphs of content they could easily lose their work do to this bug as well... Please don't refer me to a forum with a dozen possible solutions to the issue and fix it yourselves. I'm sick of looking at them. It's your job to troubleshoot your software, not your users!

Link to comment
Share on other sites

Hi @spercy16

welcome to the forum! Could you please tell us a little bit more what you already tried (beside using google)? Also it would be great to hear a little about your experience with ProcessWire and WebDev in general so that we can provide better answers for you.

Link to comment
Share on other sites

I tried disabling my Firefox extensions, clearing my browser history, looking for settings in the admin panel along the lines "auto-logout after ... minutes", and looking for sessionFingerprint in the site/config.php file (there was no string was not in the file related to fingerprint at all). The last idea I found in this post but it didn't do me much good.

Link to comment
Share on other sites

I agree that this can be frustrating and steps to remedy this should be explained in the docs somewhere. More than a bug, I would call it an overzealous security measure that can cause logout issues depending on your environment.

Adding the following line in config.php fixes this issue for me:

 * sessionExpireSeconds: how many seconds of inactivity before session expires
$config->sessionExpireSeconds = 86400;

If not, adding the following also helps:

$config->sessionFingerprint = false;


Link to comment
Share on other sites

1 hour ago, jacmaes said:

If not, adding the following also helps:

$config->sessionFingerprint = false;

it is worth trying other options before disabling this feature completely

 * 	0 or false: Fingerprint off
 * 	1 or true: Fingerprint on with default/recommended setting (currently 10). 
 * 	2: Fingerprint only the remote IP
 * 	4: Fingerprint only the forwarded/client IP (can be spoofed)
 * 	8: Fingerprint only the useragent
 * 	10: Fingerprint the remote IP and useragent (default)
 * 	12: Fingerprint the forwarded/client IP and useragent
 * 	14: Fingerprint the remote IP, forwarded/client IP and useragent (all). 


  • Like 2
Link to comment
Share on other sites

Thanks @jacmaes ! The first step didn't do much but the second one did. It's keeping me logged in for hours now instead of minutes. It's absolutely an issue and not a feature if it logs people out ever two minutes. It also should be adjustable in the admin settings regardless. Requiring users, whether or not their IT professionals, software developers, or noob end-users to edit .php files to adjust these kinds of time-outs, etc. is bad, lazy software engineering. Not that the ProcessWire CMS isn't good because it is, but developers definitely need to start integrating these settings into more organized, user-friendly UI's. I personally enjoy coding but it isn't always the easist way to do things. XAMPP has the same issue, minimal UI with config files you have to edit each time you want to change the active site (httpd.conf ---> find "htdocs\site" and change it to the active folder you want to use). When that could just as easily be a list of sites you could switch betwen.

Anyway, I really appreciate the help and quick responses. In general ProcessWire seems to be a very good and intuitive CMS and I intend to use it on most of my future websites (when possible) due to the low cost (awesome for non-profits work because it doesn't require a paid license) and because I'm able to quickly and easily integrate it into my designs. I was able to learn the basics of it in a matter of days and have a great workflow going with it now. Definitely happy to be using it instead of Wordpress, Drupal, or Joomla. There's no reason a CMS should be difficult to implement and manage as is the case with many of the others.

Link to comment
Share on other sites

5 hours ago, spercy16 said:

It's absolutely an issue and not a feature if it logs people out ever two minutes. It also should be adjustable in the admin settings regardless. Requiring users, whether or not their IT professionals, software developers, or noob end-users to edit .php files to adjust these kinds of time-outs, etc. is bad, lazy software engineering.

I don't want to dismiss your frustration — I get that problems like this one can be really annoying! — but I do want to stress a couple of points about this:

  • This is very much a needed (even required) security feature. I wouldn't recommend disabling it unless it's causing major issues, and even then there's a 99% chance that you should just fall back to one of the "less strict" options (as mentioned earlier). Without session fingerprinting attacks involving session hijacking are a very real possibility.
  • Providing UI way to disable any security feature is something I'd be wary of. Of course it depends on the situation, but generally decisions like these should be a) made by folks who have enough technical know-how to make educated decisions knowing what the consequences will be, and b) disabling any security feature should never, ever be something you can do "on a whim" — it needs to be a decision made after serious consideration.

Of course technical know-how and well considered decisions don't equal being a developer with access to site's config files or code, but the point is that providing an easy way to decrease the security of the system is definitely not something I'd consider a best practice. Quite the opposite, in fact.

Also, one more thing to consider is that if someone did somehow gain illegitimate access to the admin panel, providing an UI way to disable security features could potentially allow them to escalate the attack. (This particular setting is not the best example of that, but generally speaking.)

As for session fingerprinting: I've personally not had real problems with it, but I know others have, so not trying to dismiss this problem. It should, though, only happen if your IP or user agent string changes constantly, which is a pretty rare situation — though I'm not an expert in this subject. For me the only case where I've experienced something similar was while testing the site using developer tools, going between mobile UA string and regular UA string... 🙂

  • Like 6
Link to comment
Share on other sites

I dunno, I also get annoyed when I lose my session. It doesn’t happen every couple of minutes, but sometimes it still happens from one day to the next, even though I set the lifetime to a year. If ignoring IP and user-agent changes is so insecure, how does this forum do it, or pretty much all big websites for that matter?

Link to comment
Share on other sites

6 hours ago, Jan Romero said:

I dunno, I also get annoyed when I lose my session. It doesn’t happen every couple of minutes, but sometimes it still happens from one day to the next, even though I set the lifetime to a year.

It's very likely that your IP will change every now and then. My understanding is that regular ISPs often charge extra for static IP addresses and (at least around here) some don't even offer this sort of service to consumers.

When your IP changes and session fingerprinting (involving IP address) is enabled, you'll have to renew your login session. This is unrelated to session lifetime limit.

6 hours ago, Jan Romero said:

If ignoring IP and user-agent changes is so insecure, how does this forum do it, or pretty much all big websites for that matter?

That's a valid question!

In many services that I use the situation is exactly the same as with ProcessWire. if I disconnect from the company VPN (or first log in to the service and only then connect to the VPN) I'm forced to redo the login process, which in turn may involve new 2FA confirmation request. Most likely these services use a similar fingerprinting mechanism as ProcessWire.

On the other hand I wouldn't be terribly surprised if some big services skipped this step, especially if they happen to have many "consumer users". It can indeed be problematic for some users, and on the other hand session hijacking can also be mitigated using other measures. Storing the cookies securely and so that no one should get easy access to them is the most important step (obviously ProcessWire does that as well.) After that it's more about adding extra layers of security.

According to Invision Community documentation our forum software has IP address based fingerprinting enabled by default. They recommend keeping it on, unless it causes issues. Just to make sure I just tried "hijacking" my own session — and so far it looks like the forum doesn't really care about which IP I'm using, what my UA string look like, etc. I was able to "transfer" a session to another browser, and it continued to work even after IP address change.

It's important to keep in mind that lacking session fingerprinting is not a security issue in itself, more like a precaution that could've (and, in my opinion, almost always should've) been taken, yet wasn't. In this particular sense our forum could indeed be considered less secure than a typical ProcessWire site where fingerprinting is enabled 🙂

  • Like 4
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Similar Content

    • By benbyf
      Hello, and welcome to what I though was either my client being silly and changing things, or some evil doer. Turns out its reproducible and therefore something in Proceswire (I checked my templates and modules but couldnt find anything that would be doing this...). So what is it doing? Check out the video for evidence.
      A repeater field is interacting with a page template and another repeater field somehow to swap the fields in the template and repeater over...
      I have a template called team, and a repeater field called team_repeater with label Team. Some how and for some reason, when I change my fields on repeater called main_menu_links my team template gets those fields and when I try and revert the team template fields to the fields it should have, they get given to the repeater main_menu_links. Also this to say HELP!!!!!
      video: https://www.dropbox.com/s/exkdhc6n7x0xpsa/strange-repeater-PW-mega-bug.mov?dl=0
    • By ICF Church
      Hi 👋
      Anyone else having this problem?
      - Repeater (matrix & normal) with mutlilanguage fields (text, textarea…) 
      - Backend language set to something other than default (ie. German) 
      - Add a new repeater Item (ajax, I found no way to possible to disable it with matrix)

      (Notice how the default language tab is active instead of the backend language…)
      - Write something into the (default language) field
      - Try to save, if field is required, this will not work. If not required, then when reloading, the content will be inside the backend language field, instead of the default language field who was (presumably) active
      When  loading  a new repeater element with ajax, the default langue tab is active, but the backend language inputfield is visible (with no visual indication). When writing into the field, it will populate the backend language. When manually clicking on the default language tab (which is already active), the field will switch to the actual default language field (which is [now] empty) (that can now be populated…)
      Also Notice, the labels of the elements to be added are in default language as well instead of the translated label (images instead of Bilder)…
      ProcessWire 3.0.148, Profields 0.0.5…
      Is it my system configuration, or does anyone else have the same issue? This is a screen recording of the problem:
      Issue: https://github.com/processwire/processwire-issues/issues/1179

      Screen Recording 2020-02-25 at 14.18.31.mov
    • By humanafterall
      I'm using some Custom fields for images: 

      When I save the page, and return the fields are blank. When I re-add the text to the fields and save again then the fields save as expected.

      I know this is stated as being quite experimental but it's super useful feature I'd love to get working correctly.
      I have fields that are CKEditor fields but have overidden this on the image specific template. I've also tried it with regular text fields and I get the same bug.
      (currently using Processwire 3.0.155)
      I've found this issue is specific to editing on pages using the PageTable fieldtype. The fields are not saving when I save the page in the PageTable.
    • By Atlasfreeman
      So im doing a website. and i put on multi language on the website and uploaded some new images when i decide to make a new page...
      This i can't do anymore...

      It sais : 
      Add New
      The process returned no content.
      Unknown template.

      Well the website is showing fine, but i can't make new pages 😞

      Do any have any idea what to do?
    • By Guy Incognito
      I added some custom styles to the CKeditor menu bar using the example mystyles.js and the PW tutorial. This worked fine for fields when editing on the frontend. But none of our custom styles showed in the backend editor dropdown unless we edited the core copy of mystyles.js in wire/modules.
      Is this correct behaviour, a bug or a mistake on my part? Tried clearing cache, logging in/out etc but the backend ignores our custom styles in the site/modules path.
  • Create New...