ChaseB

Frequent Logout Issues

Recommended Posts

Hey Everyone,

Before I get to the issue, thought I'd say hi. I've been using processwire for about a year now for a bunch of small web projects but haven't made a forum account yet. I've really had a great time using it. So far I haven't had any issues that haven't been solved by reading the API or going through the forums. However, it seems that time has finally come.

Basically, I keep getting logged out of PW admin. There doesn't seem to be too much of a pattern governing after what amount of time it happens unfortunately. Sometimes 30seconds, sometimes 3 minutes. Today, I was getting logged out everytime I clicked a link on the admin page (any edit, new, save, etc).

I saw this forum post: http://processwire.com/talk/topic/2723-strange-loading-and-logout-issues-in-the-admin/?hl=logout

and followed what was done there. However, that hasn't really fixed any of my issues.

There hasn't been anything in the error log (not that I really expected there to be).

For all I know, this could be something on my end. I'm using the newest version of firefox for what it's worth.

Any thoughts on the matter would be appreciated, I'll really try anything anyone things might work.

Thanks!

-Chase

  • Like 1

Share this post


Link to post
Share on other sites

whut. u have in /site/assets/logs/errors.txt ? 

/site/config.php u set

$config->sessionFingerprint=false ?

what.say it for $config->sessionExpireSeconds ?

u have session.db module install or uses defalt sessionions ?

u look.in <?php phpinfo(); what say.it for

session.cache_expire
session.gc_divisor
session.gc_maxlifetime
session.gc_probability
session.save_handler
session.referer_check
u chealk session dir uses writeable /site/assets/sessions/ ?
  • Like 2

Share this post


Link to post
Share on other sites

I hadn't noticed the expireSeconds part of config.php before. I'll set that higher, should hopefully help. Thanks!

Share this post


Link to post
Share on other sites
I hadn't noticed the expireSeconds part of config.php before. I'll set that higher, should hopefully help. Thanks!

Unless you had previously modified this, I doubt that's it. The default setting of 86400 is 1 day, and that's not going to cause you to get logged out every 30 seconds or 3 minutes, etc. I am wondering more about the gc_divisor and gc_probability settings that WillyC posted about, as that has more potential to answer the apparent randomness and short active sessions that you've described. 

  • Like 2

Share this post


Link to post
Share on other sites

Our clients have reported identical problems a few times. After clearing browser history things have returned to normal.

This is probably unrelated, just wanted to point out that the issue may not be site-related at all.. :)

  • Like 3

Share this post


Link to post
Share on other sites

I just cleared browser history after having a similar problem. Now working fine. Thanks Teppo. Yeah, I know thread is old :-)

Share this post


Link to post
Share on other sites

I had the same problems with fresh install of ProcessWire 2.5.3 on a local webserver (Win 8.1 WAMPSERVER). After clearing the browser history no more logouts.

Share this post


Link to post
Share on other sites

We discovered a similar problems while debugging our page using Chrome Developer Tools.

When you enter the mobile inspector, your user agent changes. If you then happen to use the ProcessWire Backend WITHOUT the mobile inspector, you'll get logged out.
I followed the session tracelog and noticed that the fingerprint changed and thats why I got logged out.

The fingerprint is dynamically created using a md5 hash with the request user agent & request_ip. Since the user agent changes in mobile inspector, your session fingerprint will be different and therefore processwire logs you out.

Took me while to figure this out. Hope this helps others.

  • Like 5

Share this post


Link to post
Share on other sites

@Mobiletrooper,

I think you are right on the money :-). Been experiencing this a lot lately in Chrome

Edit: Welcome to the forums :-)

Edited by kongondo
  • Like 1

Share this post


Link to post
Share on other sites

To prevent being logged out when dev-tools is open add:

$config->sessionFingerprint = 2;

in your site/config.php (my PW  version = 2.7)

No more logouts. Problem solved.

EDIT: Modified the instructions as teppo pointed out.

  • Like 1

Share this post


Link to post
Share on other sites

@jmartsch, two notes about that:

  1. Session fingerprint is a security feature, and should only be disabled when absolutely necessary. In your case this might actually be the situation, pointing this out in case someone else reads this :)
  2. It's never a good idea to modify anything in the wire directory – instead of that, copy the directive to /site/config.php and change it's value there.
  • Like 4

Share this post


Link to post
Share on other sites

@teppo You´re right. Thanks for pointing this out.

So I added 

$config->sessionFingerprint = 2;

to site/config.php.

Option 2 Fingerprints only the remote IP and not the user-agent

  • Like 1

Share this post


Link to post
Share on other sites
On 12/10/2015 at 12:48 PM, teppo said:

1. It's never a good idea to modify anything in the wire directory – instead of that, copy the directive to /site/config.php and change it's value there.

Hello,

So we don't need to change anything in wire/config.php? We keep the default value below:

$config->sessionFingerprint = 1;

That's right?

Share this post


Link to post
Share on other sites

@Jules Vau Yes, thats correct. The setting in site/config.php overwrites the one in the wire directory.

  • Like 2
  • Thanks 1

Share this post


Link to post
Share on other sites

Hi guys, sorry I don't have understood well how works the fingerprint.

I have the same issue because our IP address cloud change during the session, so I have to change the setting. But I'm not sure which option use.

What exactly do the fingerprint?

Share this post


Link to post
Share on other sites
49 minutes ago, MarcoPLY said:

Hi guys, sorry I don't have understood well how works the fingerprint.

I have the same issue because our IP address cloud change during the session, so I have to change the setting. But I'm not sure which option use.

What exactly do the fingerprint?

https://processwire.com/api/ref/config/

 

Quote
$config->sessionFingerprint bool Should login sessions be tied to IP and user agent? 0 or false: Fingerprint off. 1 or true: Fingerprint on with default/recommended setting (currently 10). 2: Fingerprint only the remote IP. 4: Fingerprint only the forwarded/client IP (can be spoofed). 8: Fingerprint only the useragent. 10: Fingerprint the remote IP and useragent (default). 12: Fingerprint the forwarded/client IP and useragent. 14: Fingerprint the remote IP, forwarded/client IP and useragent (all).

 

  • Like 3

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By dragan
      If I have two PW sites that sit in separate folders, I can't be logged-in in both sites.
      e.g.
      site.com/project-a/pw-admin-slug/
      site.com/project-b/pw-admin-slug/
      If I login to project-a, then also login to project-b, get back to the first site, I have to login again.
      Is the cookie / session mechanism storing my domain? If it does, and it's meant to be some sort of security enhancement, it should not check my domain, but root-URL of the PW-installation. (strangely, this doesn't happen on localhost)
      Is it possible to prevent that behavior? Often I have two sites open (e.g. check to see if I have the same CKEditor setup and quickly copy and paste it, or copy a user-role)
    • By rooofl
      Hello,
      I get often logged out from a web service built with PW.
      This web service has a large database and I use ListerPro to let my client browse and interact with it. After a couple of manipulations, or around 2-3 minute after logged in, the login page appears again. In this process, the last data submitted in the admin get often lost.
      About my configuration:
      The website is hosted on one of the first plans of OVH server (cheap ones), can it may be related to the problem? I uninstalled all the extra modules I used (Redirect, AdminCustomFiles). Nothing changed. The problem appeared recently only (since around 4 days) The website is still using basic http There is nothing interesting neither in `site/assets/logs/errors.txt` nor `site/assets/logs/modules.txt` I sometimes get the red error `This request was aborted because it appears to be forged.` together with `The process returned no content.` after a login attempt. I saw on this forum that it can be related to access rights and checked a couple of files permissions, and I *think* everything is fine. Thanks in advance for your help.
    • By Mirza
      How to track user active time based on session login and logout.
      Basically, I want to get the report that each user login time and logout time/session inactivity time.
      Is there any module available or we can use any hooks to simulate the above.
      Thanks in advance for your support.
    • By ren
      Hi all,
      I'm creating a website for a magazine publisher. This will include a supplier section with press releases attached to company profiles. The idea is that companies can register and manage their profile and press releases (CRUD) via a dashboard.
      The dashboard is a Process module. Ben Byford's RedirectAdminPages module is being used to lock out the rest of the backend, with a few modifications.
      The following code should redirect every admin page to the dashboard page but still allowing logging out. However logging out just redirects to the dashboard page:
      // do not redirect if page matches: if($this->page->template != "admin" // any non-admin page || $this->page->is($this->redirectPage) // the dashboard page (prevent infinite loop) || $this->page->parent->is('/admin/login/') // various attempts to allow logging out || $this->wire("process") == 'ProcessLogin' || strpos($this->page->url, $this->wire('config')->urls->admin . 'login/logout') !== false ) { return; } // find roles set in module configuration and create array $roles = explode(',', $this->userRoles); // for each user in module config check to see if current user foreach ($roles as $key => $val) { // get a role from the roles array $roles[$key] = trim($roles[$key]); // if current user found with role then redirect if($this->user->hasRole($roles[$key])){ // redirect session to page stored in config $this->session->redirect($this->redirectPage); // code should never get here but this is a simple fallback break; } } } } I'm surprised that this URL matching doesn't work:
      || strpos($this->page->url, $this->wire('config')->urls->admin . 'login/logout') !== false Because this does work for allowing page edit:
      || strpos($this->page->url, $this->wire('config')->urls->admin . 'page/edit') !== false Any ideas?
      That issue aside, as a learning process I'm going to re-implement the dashboard as front-end pages. I guess that the advantage of using the ProcessWire back-end is most of the functionality is already there, you don't need to create forms and handle the processing, create / import css etc. So it'll be interesting to see how much of a difference this makes, and how much control each approach provides. I'd love to have some thoughts and feedback from those of you who've tried both methods?
      PS this will be my third website created with ProcessWire and it's already been a lot of fun, and as a CMS it 'just feels right', so a big thanks to Ryan and everyone who has contributed.
      Thanks
    • By modifiedcontent
      I think you can create a simple logout link with
      <a href="admin/login/logout">log out</a> But it redirects to the login form in the admin area. Can I hook into logout and change the redirect? Default redirect home would make sense.
      Or is the way to do this still to create a logout template + page with session->logout()  and a redirect?