How to stop users being logged out after about 3 or 4 hours.
Development and Programming
Users of our site ( EE 2.9.2 ) are being randomly logged out after 3 or 4 hours.
I have checked cookie viewer in chrome and firefox, and “exp_sessionid” and “exp_expiration” are being set correctly and are not marked to expire in a matter of hours. They are set to expire 1 year in the future. In our login form we force remember me to checked and pass auto_logon=1 to the server.
Is there some sort of idle timeout or weird config setting that needs to be overridden to fix this?
NOTE: This is on our members website , NOT the EE control panel. I know the control panel handles sessions differently and has an idle monitor. But the website shouldn’t be doing this.
It could be several things.
Check the ‘SESSION’ section of your PHP config file (normally php.ini) and make sure you have: session.use_cookies = 1 session.use_only_cookies = 1 session.cookie_lifetime = 0 There may be other setting in that section if set wrong could mess things up.
Many people use cookie auto destruction add-ons (not to be confused with EE addons - these are browser add-ons/extensions…) and if not white-listed your website cookie can be destroyed if they idle too long.
You didn’t mention the OS or http server software you are using - so I can’t give you specifics on that, but something to look at also.
Of course this is ASSUMING you have all your EE settings set correctly…
Hope that helps!
OS is Linux and its a LAMP setup. I’m thinking this is a bug in EE itself.
I would first recommend updating, 2.9.2 is quite old, though I do not recall any login related bugs since we refactored sessions and “remember me” in 2.8.0. User-side sessions expire in 2 hours, but is continually pushed out 2 hours with any web site activity. And with “remember me” set, their session would restart seamlessly with activity after the 2 hour expiry. Do you have a cookie domain set? Or running through a reverse proxy that might be accessing ExpressionEngine with the same IP address and/or user agent for every request?
Derek, you mention ” User-side sessions expire in 2 hours, but is continually pushed out 2 hours with any web site activity. And with “remember me” set, their session would restart seamlessly with activity after the 2 hour expiry.”
The issue is users are leaving the site open all day, and being logged out automatically ( after a few hours of inactivity ). I’m guessing based on some sort of “idle” or “activity” monitor that goes by time and ignores the cookies lifetime ( 1yr ).
Is there a way to turn off the idle detection?
Again, this isn’t the control panel, its the website with normal users ( membership based website built with EE ).
If remember me is enabled, and you have “cookies only” sessions on the front end, then the very next request they make to the site will automatically and transparently spin up their session. There’s no active idle detection like the control panel has, so nothing to override there. Can you answer my two questions regarding your cookie domain settings and any reverse proxy? Further, since you mention that you know they are leaving windows open a long time, are they actually being logged out? Or are they trying to submit forms and getting “this form has expired” (CSRF) errors?
The users are not trying to submit any forms. They will leave their browser open and either hit refresh on the page or click to navigate the site and then be redirected to the login page to login again. This is even though the cookies are set to 1yr and they haven’t run any cleaning utilities.
There is a amazon AWS load balancer that accepts the requests and forwards them to one of our web servers in the web farm.
The cookie domain is set to .example.com ( using www.example.com for sake of conversation ).
The cookie path is set to /
The cookie prefix is blank.
The site is run over https if that matters at all.
SSL would only matter if the cookies were secure only, and if your server also responds to non-SSL, and if for some reason they were accessing a non-SSL URL.
There is a amazon AWS load balancer that accepts the requests and forwards them to one of our web servers in the web farm.
It’s possible that this is not forwarding the original headers, or that something needs to be whitelisted on the app side of things to accept modified headers as authentic. If you put in a support ticket, our team can help examine your environment and diagnose directly. I’m highly doubtful of a bug, not because we are infallible, all software has bugs. But especially since the version you are running is from 2014, we’d have heard about it extensively between then and now. Chances are it’s environmental, but it’s hard to say without being able to reproduce and inspect directly.
Where can I put in a support ticket?
Where can I put in a support ticket?
https://expressionengine.com/support
It’s subscription based; valid license holders get three months of silver for free, reflected in your cart.
If you’re using AWS load balancers for your frontend (because we do that too), how you set up the load balancer for cookie handling is very important - and is most likely where your problem lies.
Derek is right though - you will need a tech with expertise on that setup to get you right - there are several things that must be configured together to make it all work seamlessly, and your setup will be an important factor too (people do things different).
I’d like to be able to give you step-by-step iinstructions on how to resolve this issue - but there are just too many factors that relate to your particular setup to make one.
On the good side - EE’s support ticket cost is WAY less then what we would charge a client to fix this issue, I’m really suprised they’re willing to take on such a setup - Cheers to them!
If you’re using AWS load balancing for your website - the cost of a support ticket should be trivial to you.
JT,
On our AWS loadbalancer we have LBCookieStickinessPolicy set and expirationPeriod = 0 ( checked ‘Enable load balancer generated cookie stickiness ). This works for our other apps ( non EE, just custom PHP/CI apps ).
What do you guys use on your setup?
Nice try - but we get paid the big bucks for that knowledge. 😉
I will give you a hint though - we DO NOT enable stickiness on the loadblancer - that is too much a performance nightmare on a high traffic site.
Using stickiness severly hinders the load balanacing nature of the loadbalancer (lol that was a funny statement) and should be avoided if possible.
I can’t stand it - did you figure it out?
Curious to see what your solution is….
If you haven’t got a solution yet - post and I’ll give you the path to follow - it really is simple, however, there are several ways it could be done and I’m curious as to what you chose. I’m such a sucker 😊
I’m 99% sure it is an AWS load balancer issue. I tested on our beta site ( direct access to server, no load balancer ) and never got logged out even when leaving the browser idle all night.
I haven’t figured out what needs to be changed as of yet. Any help would be greatly appreciated. I’m under the gun on this one heh..