By: BMcDonald (offline)  Feb 04 2012 14:51 pm (Read 1813 times)  

I have my admin user set to be remembered for 8 hours but once I log in, the session times out sometimes within about 15 minutes. ??? I have to log in over and over while I'm working on the site. I can't find anywhere except the User Account setting area to set how long I should remain logged in - I assumed it was the "Remember Me For:" setting.

   

BMcDonald



Group Comfort
Level:
: 0
Registered:: 04/02/06

Posts: 33
By: bisdak (offline)  Feb 04 2012 17:32 pm  

Is it Log-In or Authentication screen you are seeing there is a timer on the Authenification and if you don't access the Admin areas for x minutes you have to authenticate again - its not the same as actual log-in its a security feature. The timing is hard coded until the login where you can tell glF how long to remember you.

Regards


Tita T
------
ex University of San Carlos Cebu | Sta Tomas Manila
Proudly Visayan now living in Europe
------

 

bisdak



Group Comfort
Level:
: +6
Registered:: 08/14/09

Posts: 345
By: BMcDonald (offline)  Feb 04 2012 17:44 pm  

You're right, it's authentication. It seems since I'm logged in as the admin, it shouldn't time out so quick. But I guess I'll just have to deal. Not that bid a deal.

Thanks.

   

BMcDonald



Group Comfort
Level:
: 0
Registered:: 04/02/06

Posts: 33
By: bisdak (offline)  Feb 04 2012 19:01 pm  

Not sure of the timer setting seemed to recall it was 10-15 minutes, usually if you are composing you get the authentification up when entered your work is still availabe to be saved ... it happens to me often but never loose anything.

Thanks


Tita T
------
ex University of San Carlos Cebu | Sta Tomas Manila
Proudly Visayan now living in Europe
------

 

bisdak



Group Comfort
Level:
: +6
Registered:: 08/14/09

Posts: 345
By: BMcDonald (offline)  Feb 04 2012 19:53 pm  

Yes, that's right. I definitely never lose anything.

I'm just used to working in an old Geeklog version that doesn't do that.

Thanks for your help.

   

BMcDonald



Group Comfort
Level:
: 0
Registered:: 04/02/06

Posts: 33
By: Mark (offline)  Feb 07 2012 15:01 pm  

There is an administration session that is separate from the regular login session. The admin session is what allows you into the administrative areas. It has a default time to live of 20 minutes. After 20 minutes of not being in the admin area, you will have to re-authenticate if you try to perform an admin function. This is a security feature that ensures no one can just walk up to a computer that is logged into a glFusion site and make changes. It also provides another safety layer if the user's session was somehow hijacked (we have lots of controls to prevent hijacking, but we also believe in multiple layers of defense).

There is an advanced configuration setting that controls the time and allows you to disable the feature if you don't like it. In the public_html/siteconfig.php, you should find (and if it isn't there, cut/paste it into that file):

PHP Formatted Code

// +--------------------------------------------------------------------------+
// | Administrative session timeout - set to 0 to disable re-auth             |
// +--------------------------------------------------------------------------+

$_SYSTEM['admin_session'] = 1200;
 


You can change the number of seconds to a higher value or set to 0 to disable.

Thanks!
Mark


Join me on the glFusion Gitter Channel

   

Mark



Group Comfort
Level:
: +113
Registered:: 10/21/05

Posts: 7079
By: BMcDonald (offline)  Feb 07 2012 15:20 pm  

Nice. Thanks. Nobody else has access to my computer so that security level isn't necessary.

So far I'm like this version of GL much better than the old version I had been using. Thanks again for your help.

   

BMcDonald



Group Comfort
Level:
: 0
Registered:: 04/02/06

Posts: 33
By: TJ (offline)  Jul 25 2016 13:26 pm  

Hi,

We are seeing a session problem on one of our sites for admin who is updating some stories everyday and becoming a bit frustrated because the stories are not saving after signing back in.

I have said to copy the story or click on preview, which sometimes works, before saving it until I find out what the cause is.

We have changed the time in siteconfig.php, as mentioned here, but we have noticed that there is another place to change this in lib-common.php. Do we need to change both, or just siteconfig.php.

We do have the site set up without the www. Could this be one of the causes as mentioned here.

I actually have the same problem here, on the glFusion site, when I am typing a long message in the forums. I find that the message is not saved after signing back in. I have got used to it now and I work around it.

Thanks.

Tony.


"Life is not measured by the number of breaths we take, but by the moments that take our breath away"

   

TJ



Group Comfort
Level:
: +8
Registered:: 12/17/12

Posts: 613
By: Mark (offline)  Jul 25 2016 14:08 pm  

There are 3 types of sessions in glFusion - the standard session for any user browsing the site, the 'remember me' session, and the admin session. The standard user session is the base line session, when a user first browses the site, a session is created for them. We use PHP sessions for tracking this. If there PHP session is destroyed (maybe due to inactivity on the site), then the 'Remember Me' cookie is checked, if value, a new session is created and the user continues their browsing. So there are 2 things that affect this type of session, first is the PHP configuration for sessions, second is the Remember Me setting for the user. If the PHP setting for session lifetime is low (I think the default is 24 hours), it could be the session is destroyed by PHP during the inactivity. This can happen on shared hosting environments where many sites are using the same session save path - the site with the lowest time to live value controls how quickly sessions are expired.

The admin session is what controls access to the administrative functions of the site. This is a cookie that is set, with a timeout defined in siteconfig.php. The lib-common item you are referring to is a failsafe, it no value is present in siteconfig.php, it will default to 1200 seconds. No need to edit this one. The admin session simply handles how often we need to prompt the user to re-authenticate between admin functions - the intent is if you were to leave yourself logged into your site, if someone were to gain access to your computer, they would have to re-authenticate before getting access to the admin area. You can disable this check by setting the session timeout in siteconfig.php to 0.

Finally, there are security tokens used in glFusion to ensure that submitted data comes from the proper source and is timely. By timely, I mean if a form is submitted 24 hours after the form was generated, that isn't timely and you would be required to re-authenticate. I think this is what is causing your problem. The default time out on security tokens is 20 minutes. Oddly enough, there is no configuration option for this timeout - which is now on my todo list for 1.6.1! As a test - make this simple change to the lib-security.php file (located in private/system/ directory):

Go to line 1222, you should see:

PHP Formatted Code

function SEC_createToken($ttl = 1200)
{
    global $_CONF, $_SYSTEM, $_USER, $_TABLES, $_DB_dbms;

    static $_tokenKey;
 


Change that 1200 to some value higher - this is the number of seconds for a token to live. Set it to 2400 (which would be 40 minutes). Save it and let's see if that makes a difference.

Let me know....

Thanks!
Mark


Join me on the glFusion Gitter Channel

   

Mark



Group Comfort
Level:
: +113
Registered:: 10/21/05

Posts: 7079
By: TJ (offline)  Jul 25 2016 21:57 pm  

Hi Mark,

Thank you for your reply. We have changed the time in lib-security.php. We'll see how it goes.

Thans again.

Tony.


"Life is not measured by the number of breaths we take, but by the moments that take our breath away"

   

TJ



Group Comfort
Level:
: +8
Registered:: 12/17/12

Posts: 613
By: Andrew8925 (offline)  Jul 26 2016 04:08 am  

I've noticed the constant asking for authentication happens on subdomains that are running a separate installation of glfusion then the main domain which is also running an install of glfusion. It drives me nuts. My solution has been to set the admin session to zero.
$_SYSTEM['admin_session'] = 0;

Could this be a similar situation?

   

Andrew8925



Group Comfort
Level:
: +4
Registered:: 03/21/14

Posts: 162
By: Mark (offline)  Jul 28 2016 09:36 am  

Andrew,

The problem you describe is a bit different - it doesn't have anything to do with the session timeout, instead it is caused by the method PHP / glFusion uses to handle cookies. I used to have the same problem, I have this site, www.glfusion.org and a mirror site that I run locally called site.glfusion.org. When I'm logged into both, I was always having to re-authenticate to do admin tasks. The problem is / was, because the cookie domain was glfusion.org, so both sites could and were sharing cookies. The fix is pretty simple, set the cookie domain on each site to the full URL, so in my example, I set the cookie domain here to www.glfusion.org and on my mirror site to site.glfusion.org. This way, the cookies are now specific to a more granular URL. Of course, turning off the site admin validation works too Smile

Thanks!
Mark


Join me on the glFusion Gitter Channel

   

Mark



Group Comfort
Level:
: +113
Registered:: 10/21/05

Posts: 7079
By: TJ (offline)  Aug 12 2016 11:11 am  

Hi,

One of our admins has reported that when they need to re-authenticate to save a story that they have been editing, it does not say that the story has saved.
They say that they lose their work and the story hasn't saved, although I have just tested it and it has saved on testing, although iIt did not say that it was saved.

After questioning the administrator on how often they log-in, I found out that they never logout so I am now guessing that this may be playing a large part on why they may be having problems with editing stories. They are typing quite alot which may take some time to complete so we have suggested saving the story after so many lines or copying and pasting from notepad.


"Life is not measured by the number of breaths we take, but by the moments that take our breath away"

   

TJ



Group Comfort
Level:
: +8
Registered:: 12/17/12

Posts: 613
By: Mark (offline)  Aug 12 2016 20:18 pm  

I'm going to implement some background JS that will do 2 things:

1. refresh the security tokens every X minutes while in the editor
2. detect inactivity after 15 minutes and prompt the user

This should solve the timeout issue - my initial tests have allowed me to keep the editor open for over an hour as long as I type something at least every 15 minutes and it saves without prompting, etc.

I should get it wrapped up tonight and have it ready for the upcoming v1.6.1 incremental release coming soon.

Thanks!
Mark


Join me on the glFusion Gitter Channel

   

Mark



Group Comfort
Level:
: +113
Registered:: 10/21/05

Posts: 7079
By: TJ (offline)  Aug 15 2016 10:25 am  

This sounds excellent. I have updated the site that was having problems.
Thanks Mark.


"Life is not measured by the number of breaths we take, but by the moments that take our breath away"

   

TJ



Group Comfort
Level:
: +8
Registered:: 12/17/12

Posts: 613
17 posts :: Page 1 of 2
  • 1
  • 2