Session fingerprint changes causing admin logout after 2-4 minutes

[gornycreative]

I've seen this on a few other threads but their problems were more specific to certain plugins.

I'm trying to wrap my head around what might be triggering this, and if other developers have run into it and have any workarounds.

I have tried isolating different actions but have not been successful in figuring out the culprit.

It usually happens when I have an admin windows open, the front-end open with developer tools and I am switching between responsive views - e.g. between desktop and Pixel 5.

I'm editing template files, not PW page content.

The site runs through cloudflare and rules are in place to sidestep cache on admin URLs. However for the front end I find I sometimes still need to purge cache on their side even with development mode engaged, and I also have to often clear cache on the processwire side as well.

I don't believe my IP address is changing, however I do notice that in the session log a number of public IPs are used for my logged in sessions - whether this is a function of cloudflare caching, etc. I haven't tested. Could be. But there are times when the fingerprint breaks and the IP is the same for several hours.

Not sure if clearing the cache on the PW side also clears out the session - I'm using the session db so it shouldn't but...

Any thoughts on which of these actions might be breaking the session fingerprint? I can put up with logging in again after doing cache clears, etc. but I'd like to know what is causing the behavior for my own sanity.

[Robin S]

2 hours ago, gornycreative said:

It usually happens when I have an admin windows open, the front-end open with developer tools and I am switching between responsive views

When you enable device mode in the dev tools the user agent will change and therefore the fingerprint will change.

I solve this when developing locally with the following in config.php:

if(in_array($_SERVER['REMOTE_ADDR'], ['127.0.0.1', '::1'])) {
	$config->sessionFingerprint = false;
}

If you're working on a remote site and don't want to change the fingerprint settings then you can use an incognito window when viewing the front-end in device mode.

[gornycreative]

Brilliant. Thanks! I had a feeling something like that was going on.

I usually use incognito when testing anyway - not sure why I didn't this time. That's a very practical reason for doing so.

?