Keep getting logged out, regardless of settings

[Goca]

Hi there,

I am using ProcessWire version 3.0.165, and I keep getting randomly logged out within an hour (sometimes less than an hour) of inactivity. I've tried the recommendations in this forum post (including fully disabling fingerprinting with a value of 0 and false), to no avail:

 I am using CloudFlare on the site, and I have disabled fingerprinting to see if that was the issue, but unfortunately it hasn't helped. These are my current session config settings in site/config.php:

$config->sessionName = 'custom';
$config->sessionFingerprint = 0;
$config->sessionForceIP = $_SERVER['HTTP_X_FORWARDED_FOR'];
$config->sessionExpireSeconds = 86400;

I've also checked the "session" logs on the backend, and don't see any entries other than my logins.

We're building a quizzing system for students and really don't want them to be automatically logged out so often, so any help would be appreciated!

Thanks!

[Jan Romero]

Does this happen on a specific device? I’m aware of a similar problem with iOS/mobile Safari. ProcessWire doesn’t set an expiration date on its session cookie, which, as I understand it, technically advises browsers to throw the cookie away at the end of the browsing session, ie. when you close the browser. I’ve never seen a desktop browser actually do this, but mobile stuff operating systems are traditionally more conservative with that stuff and zealously clean up after themselves. Try putting this in your config.php:

ini_set('session.cookie_lifetime', 31556926); //1 year lol

Now, that’s a whole-ass year, after which your desktop sessions, which would otherwise have continued indefinitely, will probably terminate. I’ve been meaning to submit a real fix, which would involve extending the cookie every time the user is active, but this is what I live with right now.

I’m also surprised no one else has ever mentioned this, given the prevalence of mobile browsing. Maybe it’s just a problem with my setup.

[Klenkes]

I have a client who fights with his logouts as well. I am almost sure(98%) his Avira Antivir deletes or blocks something during his session.

[JayGee]

@Goca Are you using a cookie consent management tool by any chance? This potentially could mess with Processwire's cookies if not configured correctly.

[Goca]

On 1/20/2022 at 7:49 AM, Jan Romero said:

Does this happen on a specific device? I’m aware of a similar problem with iOS/mobile Safari. ProcessWire doesn’t set an expiration date on its session cookie, which, as I understand it, technically advises browsers to throw the cookie away at the end of the browsing session, ie. when you close the browser. I’ve never seen a desktop browser actually do this, but mobile stuff operating systems are traditionally more conservative with that stuff and zealously clean up after themselves. Try putting this in your config.php:

ini_set('session.cookie_lifetime', 31556926); //1 year lol

Now, that’s a whole-ass year, after which your desktop sessions, which would otherwise have continued indefinitely, will probably terminate. I’ve been meaning to submit a real fix, which would involve extending the cookie every time the user is active, but this is what I live with right now.

I’m also surprised no one else has ever mentioned this, given the prevalence of mobile browsing. Maybe it’s just a problem with my setup.

@Jan Romero We're still heavy in the development stage of the site, so I actually haven't even tested on mobile yet. Right now I'm working on a desktop with Google Chrome version 97.x

Also I should clarify that this happens when I refresh the page after about an hour of inactivity, not when closing the browser. I'll try that line of code in config.php just in case though, any chance of fixing it would be great, haha.

 

On 1/20/2022 at 10:08 AM, Klenkes said:

I have a client who fights with his logouts as well. I am almost sure(98%) his Avira Antivir deletes or blocks something during his session.

Interesting... I've had this happen on both a desktop and a laptop that run separate antivirus softwares, so I don't think this is the problem in my case, but I'll add this to the list of things to test to try and fix the issue, lol.

 

5 hours ago, Guy Incognito said:

@Goca Are you using a cookie consent management tool by any chance? This potentially could mess with Processwire's cookies if not configured correctly.

Nope. We're still very early in the stages of development, mostly vanilla ProcessWire other than a few custom modules to start organizing helpful functions, and creating data structures with page templates.

[markus-th]

I even use Cloudflare on the most of my sites and had the same issues.

Since i use

$config->sessionFingerprint=false;

everything works fine.

Maybe you have to use false instead of 0?

[Goca]

On 1/22/2022 at 11:22 AM, Markus Thomas said:

I even use Cloudflare on the most of my sites and had the same issues.

Since i use

$config->sessionFingerprint=false;

everything works fine.

Maybe you have to use false instead of 0?

Good suggestion, but unfortunately it doesn't seem to have fixed the issue. Still trying to find a solution, but haven't had any luck yet.

[kp52]

I had a problem with a site that was migrated to CPanel by the host, after which the front end worked but I couldn't log in at all (CSRF messages). This turned out to be due to the new setup using Memcached for the session storage. Fixed by updating php.ini; extract from the support ticket:

I resolved the issue with form submissions and admin login by
      updating the php.ini file in the root of the site. I commented out
      the session.save settings:

[Session];;;session.save_handler = memcached
;;;session.save_path = 10.169.0.130

 

[Goca]

8 hours ago, kp52 said:

I had a problem with a site that was migrated to CPanel by the host, after which the front end worked but I couldn't log in at all (CSRF messages). This turned out to be due to the new setup using Memcached for the session storage. Fixed by updating php.ini; extract from the support ticket:

I resolved the issue with form submissions and admin login by
      updating the php.ini file in the root of the site. I commented out
      the session.save settings:

[Session];;;session.save_handler = memcached
;;;session.save_path = 10.169.0.130

 

This is good to know! I'm going to contact our host and see if this could be the issue, or perhaps even something else on the server that could be making fingerprint settings and session expiration settings ineffective. Will update once I find out more.

[MichaelHafner]

I my case this problem was caused by a load balancer which caused the IP to change every now and then during a session.

[GKM490]

Seems like installing the SessionHandlerDB module has fixed the problem for me, so that sessions are saved in the DB rather than the file system. Now it seems like the only time I get logged out is when I close my browser.

[Klenkes]

10 hours ago, GKM490 said:

Seems like installing the SessionHandlerDB module has fixed the problem, so that sessions are saved in the DB rather than the file system

Good idea. I try that as well for my client.

[erikvanberkum]

Having same issue with cloudflare as soon as i enable a "proxied" connection, I continously get logged out. When using the cloudflare setting "DNS only" the issue gone. Need to further investigate processwire .htaccess settings as their are options how for running behind a proxy.

[Tiberium]

@erikvanberkumLook about the

$config->sessionFingerprint

options. To set in the /site/config.php file.

Quote   Should login sessions be tied to IP and user agent? 0 or false: Fingerprint off. 1 or true: Fingerprint on with default/recommended setting (currently 10). 2: Fingerprint only the remote IP. 4: Fingerprint only the forwarded/client IP (can be spoofed). 8: Fingerprint only the useragent. 10: Fingerprint the remote IP and useragent (default). 12: Fingerprint the forwarded/client IP and useragent. 14: Fingerprint the remote IP, forwarded/client IP and useragent (all).

 

[JayGee]

On 4/11/2024 at 8:01 AM, erikvanberkum said:

Having same issue with cloudflare as soon as i enable a "proxied" connection, I continously get logged out. When using the cloudflare setting "DNS only" the issue gone. Need to further investigate processwire .htaccess settings as their are options how for running behind a proxy.

Just an idea - not particularly thought through so may not work!...

Because you can so easily add another URL to ProcessWire sites via the config, I wonder if you could use a separate URL or subdomain for editing access that doesn't go through CF. You could restrict access for editing by IP so other people can't use that domain.

[wbmnfktr]

When using Cloudflare try this setting in Cloudflare's Page Rules:

 

Does the trick for me all the time.

[erikvanberkum]

Thanks for the feedback sofar Unfortunatly not getting any success by applying page rules in Cloudflare with bypassing the cache levels.

I went a step further and also applied a cache rule to disable caching https://www.domain.com/processwire/* this also didnt improve anything.

The culprit is that exactly after 60 seconds we are logged out. For now as a temporary solution, we adjusted our office dns to bypass cloudflare and go direct to the AWS EC2 instance. This does the trick but is not a long term solution. As for the future we like to disable any http or https traffic that is not coming via Cloudflare.

 

[JayGee]

On 4/20/2024 at 2:43 AM, erikvanberkum said:

Thanks for the feedback sofar Unfortunatly not getting any success by applying page rules in Cloudflare with bypassing the cache levels.

I went a step further and also applied a cache rule to disable caching https://www.domain.com/processwire/* this also didnt improve anything.

The culprit is that exactly after 60 seconds we are logged out. For now as a temporary solution, we adjusted our office dns to bypass cloudflare and go direct to the AWS EC2 instance. This does the trick but is not a long term solution. As for the future we like to disable any http or https traffic that is not coming via Cloudflare.

 

 

Are you 100% certain it is Cloudflare causing this issue. It took me many years of using ProcessWire to realise that it was me causing logouts by opening the browser dev tools device emulator for testing during site development. This happens because it sends a new user agent header and triggers a new session in the browser, therefore logging you out of the old session. You can see this happening in the PW logs - it records it as 'session invalidated' or similar.

[adrian]

Also another possibility - are you running Debian? If so, I find I have the same issue unless I add this to config.php

/**
 * Enable Session Garbage Collection
 * Garbage Collection is disabled in Debian as default (probability set to zero)
 * Enable session garbage collection with a 1% chance of running on each session_start();
 * Chance calculated as gc_probability/gc_divisor
 * Session path is defined inside wire/core/Session.php and points to site/assets/sessions
 * Thanks to this modification session now takes into account gc_maxlifetime set in config
 */
ini_set('session.gc_probability', 1);
ini_set('session.gc_divisor', 100);