Community Auth logging out after 5 minutes

I'm having an issue with the latest Community Auth (1eda18b commit) and I'm not sure where the problem is or how to fix it, everything was working before I upgraded to this version (database tables and other application files were updated to reflect the new structure of the code).

I can login and everything is working as expected, but then after 5 minutes it appears that the session is no longer valid and I get kicked back to the login screen.

In the application log file I see the following debug messages:

Code:

DEBUG - 2016-01-15 02:19:09 -->
string     = username
password   = *****
form_token = f2a5c583
token_jar  = ["02ba7e2d","e11fa150","ea4f67bb","aef9e824","cfb6de69","e101e210","f2a5c583"]

DEBUG - 2016-01-15 02:24:26 -->
user id from session    = 12341234
login time from session = 2016-01-15 02:19:10

The only reference to "300" seconds in the config files is in application/config/config.php:

Code:

$config['sess_driver'] = 'database';
$config['sess_cookie_name'] = 'cisession';
$config['sess_expiration'] = 7200;
$config['sess_save_path'] = 'ci_sessions';
$config['sess_match_ip'] = TRUE;
$config['sess_time_to_update'] = 300;   #   <----
$config['sess_regenerate_destroy'] = FALSE;

Any ideas if sess_time_to_update this is the culprit and how to fix it?

Thanks

Steve

It sounds like it is tied to the sess_time_to_update, however, this has been extensively tested. Try setting it to 30 seconds to confirm:

PHP Code:

$config['sess_time_to_update'] = 30; 


If I use your config settings (or mine) I am not having any problems with getting logged out.

I'm not saying it's not a problem though. What browser? All browsers?

Have you made any customizations that touched auth related files?

Are you doing anything with sessions that might be causing issues?

I'm willing to fix this for you if provided access. If access is not possible, if you can zip up the files and a db dump, I can install it locally and find your problem.

Expert Website Development - Temecula, CA
Community Auth For CodeIgniter 3

Changing the sess_time_to_update to 30 seconds does kill the session after 30 seconds

Same issue in latest Chrome, Firefox and Safari.

AFAIK I haven't made any changes to the core auth files other than USE_SSL to 1, and I'm not doing anything else with sessions in this webapp.

I'll wrap the code and DB up and send you a private message.

Thanks

Steve

OK, I found your problem.

Examples of the problem (from Myprofile controller):

PHP Code:

public function index()
{
    $this->is_logged_in();
    $this->require_min_level(1);

    // ...
} 


Fix:

PHP Code:

public function index()
{
    $this->require_min_level(1);

    // ...
} 


Why?:

You only call is_logged_in() to verify that a user is logged in, not to enforce login, and never in the same request as one of the require_x methods. A good place to use is_logged_in() is typically a home page, where authentication is not normally required, yet you would want to know if the user is logged in so you can provide a logout link, or other user related customizations.

Note:

While it seems to work fine, I usually wrap the code I am trying to protect in an if statement with the require_x method:

PHP Code:

public function index()
{
    if( $this->require_min_level(1) )
    {
        // ...
    }
} 


That was not your problem though. Your problem was trying to use two auth related functions at the same time.

Docs for is_logged_in() do say that it should not be called with the other auth related functions:

http://community-auth.com/documentation/...rification

Also, notes I made while debugging:

1) Encryption key in config/config is not created properly. You are just supplying a 42 character string. Read the CI documentation, or use Community Auth's encryption key creator.

2) Setting the cookie domain in config/config may not be necessary. Is it?

3) Check if logouts persist when csrf_protection is turned off. NO.

4) Check if logouts persis when time_reference is set back to "local". NO.

5) Database config->compress? NO.

6) Put "levels_and_roles" in decending order, just in case ... NO.

7) I always like to destroy my CI sessions on regeneration. Keeps the table cleaner.

Expert Website Development - Temecula, CA
Community Auth For CodeIgniter 3

So...
- I fixed/removed the calls to $this->is_logged_in()
- Corrected the encryption key
- Turned off database compression
- Flipped the order of levels_and_roles
- Configured destroy CI sessions on regeneration

The issue I have now is that when I login I don't get any errors and I can see in the logs that I try to load the Home page, but I'm immediately kicked back to the login page.

index function now reads...

PHP Code:

public function index()
 {
 if ($this->require_min_level(1)) {

 $data["page_title"] = "Home";
 $data["site_name"] = $this->config->item('site_name');

 $this->load->view('header', $data);
 $this->load->view('navbar');
 $this->load->view('home');
 $this->load->view('footer');
 }
 } 


I tried resetting the password, and clearing out all previous sessions from ci_sessions and auth_sessions tables but still the same issue.

Any other suggestions?

Steve

So...
- I fixed/removed the calls to $this->is_logged_in()
- Corrected the encryption key
- Turned off database compression
- Flipped the order of levels_and_roles
- Configured destroy CI sessions on regeneration

The issue I have now is that when I login I don't get any errors and I can see in the logs that I try to load the Home page, but I'm immediately kicked back to the login page.

index function now reads...

PHP Code:

public function index()
 {
 if ($this->require_min_level(1)) {

 $data["page_title"] = "Home";
 $data["site_name"] = $this->config->item('site_name');

 $this->load->view('header', $data);
 $this->load->view('navbar');
 $this->load->view('home');
 $this->load->view('footer');
 }
 } 


I tried resetting the password, and clearing out all previous sessions from ci_sessions and auth_sessions tables but still the same issue.

Any other suggestions?

Steve

Maybe try clearing browser cookies?

Expert Website Development - Temecula, CA
Community Auth For CodeIgniter 3

D'oh, feel stupid now overlooking browser cookies. All is well and it isn't kicking me out after 5 minutes

Thanks for all your help!

FYI, I pushed up a commit today that takes care of this issue, because sometimes there is a reason why you might be authenticating twice. For instance:

PHP Code:

public function foo()
{
  if( $this->require_min_level(1) )
  {
    // You know somebody is logged in

    // ... code happening ....

    // You decide another method is better for this user/request
    $this->bar();
  }
}

public function bar()
{
  if( $this->require_min_level(1) )
  {
    // You know somebody is logged in

    // Now you are doing something that foo() didn't do
  }
} 


It was exactly this scenario that made me notice that using two authentication functions is sometimes necessary. If you just update your Auth_Controller with the one in the repo, you can test it out.

BTW. Thanks for the tip. I appreciate it.

Expert Website Development - Temecula, CA
Community Auth For CodeIgniter 3

Thanks

Will slipstream the updated code into the next update of our portal, fingers crossed

I was experiencing the same problem of logging out after 5 minutes. Google search led me to this post.

I have tested the updated code and it works perfectly fine.
Thank you Steve for questioning this issue and many thanks to skunkbad for the timely fix.