Announcement

Collapse
No announcement yet.

Question about 'Remember me', cookies, and having to log in over and over

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Lynne
    replied
    I'm glad you got it resolved.

    Leave a comment:


  • stcorp
    replied
    This password issue was resolved by upgrading php from 5.3.3-27 to 5.4.16-7.

    Leave a comment:


  • Lynne
    replied
    Your cookies at www.domain.com should have nothing to do with this as it isn't a vbulletin page.

    Have you modified your templates at all? If so, can you try adding a totally default style and see if you still have the same issue.

    Do you have any modifications? Have you tried disabling them to see if you still have the same issue.

    When did this problem start? And, what changed on your server/software around that time?

    What version of PHP and MySQL are on the server?

    Leave a comment:


  • stcorp
    replied
    Ok, I'm back with more information.

    First, this is happening to all users of the site, not just some.

    Second, I have been using ourdomain.com as a placeholder in this thread -- it isn't really the name of our domain. Wayne or Lynne -- I don't want to PM you unless you say it is ok, but if it is ok, I'll PM you with our site if you don't mind setting up a login for yourself and seeing if you can reproduce the problem.

    Third, and most importantly from my point of view, the problem isn't solved even after the latest thing I tried above. So, here's what I am trying. Right now, I am looking at the top-level NON-FORUM page on our site. That is, I am viewing www.ourdomain.com/ which is a static page we set up with information about the site. Our forums are under www.ourdomain.com/forums but I haven't gone there yet this morning. I am just looking at the top level page. As I look at it, I see that my cookies are set as following:
    st_lastactivity 1396900866 .ourdomain.com / Session
    st_lastvisit 1396900816 .ourdomain.com / Session
    st_password [redacted] .ourdomain.com / Wed, 07 May 2014 20:01:08 GMT
    st_sessionhash [redacted] .ourdomain.com / Wed, 07 May 2014 20:01:08 GMT
    st_userid 2 .ourdomain.com / Wed, 07 May 2014 20:01:08 GMT
    So, everything looks great. Now, in another browser window (but same browser session) I'm going to go to www.ourdomain.com/forums which is the top-level of our vBulletin installation. Let's see what cookies I have now:

    The first thing I note is that I see the 'Login or Register' link at the top right. I do NOT see myself as being logged in. And, the cookies have changed slightly (changes highlighted in red)
    st_lastactivity 1396967674 .ourdomain.com / Session
    st_lastvisit 1396900866 .ourdomain.com / Session
    st_password [redacted] (but same as previously) .ourdomain.com / Wed, 07 May 20140 20:01:08 GMT
    st_sessionhash [redacted] (but different from previously) .ourdomain.com / Session
    st_userid 2 .ourdomain.com / Wed, 07 May 2014 20:01:08 GMT
    It doesn't surprise me that st_lastactivity and st_lastvisit changed. It does surprise me that st_sessionhash changed, but ok, so maybe it updates every time. What is really surprising to me though (but maybe it shouldn't be) is that st_sessionhash changed from having a full expiration date to just being "Session".

    When I log in again at this point (remember the forum is showing me as not logged in, so I click on the 'Login or Register' link at the top right), after I log in, the st_sessionhash is back to showing an expiration date. After logging back in, st_password, st_userid, and st_sessionhash all have "Thu, 08 May 2014 14:40:55 GMT" as the expiration date/time.

    I just now realized that in addition to what I was doing above, I perhaps should have been looking at changes to the 'session' table in MySQL via phpmyadmin while I was doing all of the above just to see what was going on there.

    Wayne/Lynne -- any pointers of next steps to take/things to look for? Let me know if I can PM you our site so you can try it out for yourself. Thanks!

    Leave a comment:


  • Wayne Luke
    replied
    Your expiration dates are correct. Remember Me should keep you logged in for 30 days. There is also a redirect on your site from "ourdomain.com" to "www.ourdomain.com" so that wouldn't be the problem. Are the people with the problem using any type of browser tool or setting that deletes cookies when they close the browser? If they are, then Remember Me will never work for them. Same if they are using an Incognito mode and close the browser.

    Leave a comment:


  • stcorp
    replied
    Users cannot access ourdomain.com. The only access is via www.ourdomain.com.

    The reported behavior was with 'Remember Me' on.

    I'll report back if switching the Cookie Domain to simply ".ourdomain.com" fixes the issue.

    Leave a comment:


  • Lynne
    replied
    If you allow users to login to your site via both http://www.yoursite.com and just yoursite.com, then you MUST have your cookie domain (AdminCP > Settings > Options > Cookies and HTTP Header Options > Cookie Domain) set to ".yoursite.com" (no quotes, but note the period at the beginning) or your users will have problems. Also, make sure to tell your users to click the Remember Me button when they login.

    Leave a comment:


  • stcorp
    replied
    stlastactivity: 1396900213 expires "Session"
    stlastvisit: 1396900213 expires "Session"
    stpassword: <hash_value> expires "Wed, 07 May 2014 19:50:14 GMT"
    stsessionhash: <hash_value> expires "Wed, 07 May 2014 19:50:14 GMT"
    stuserid: 2 expires "Wed, 07 May 2014 19:50:14 GMT"

    Domain is "www.ourdomain.com" for all, and Path is "/" for all.

    FYI, although nothing in our setup refers to ourdomain.com instead of www.ourdomain.com, I notice that the one other difference I spot between your cookies and our cookies is that you are using .vbulletin.com rather than www.vbulletin.com for the domain. I'm going to change our setup to use '.ourdomain.com' for our Cookie Domain setting in AdminCP, change the two config files to use st_ instead of st for the prefix (to force all users to get the new cookies), and turn vBulletin off/on again to see if this fixes the issue.

    Leave a comment:


  • Wayne Luke
    replied
    The imloggedin cookie is specific to our site and allows registered users to bypass the Varnish Cache in order to receive up to date information. Not something that is cached up to half an hour. The vbj_ cookies are for JIRA as far as I am aware.

    I am more interested in the contents of the cookies on your site, except for the password hash, specifically the expiration date.

    Leave a comment:


  • stcorp
    replied
    Originally posted by Wayne Luke View Post
    And when you're logged in, what are the cookies written to your computer by the site?

    Ultimately, the end user's computer controls cookies. We can only give them data to write if they want to do so.
    Just to be clear -- this is happening to hundreds of our end users, all over the world, using various browsers/operating systems. I experience the same behavior myself in Chrome on Windows, Chromium on Linux, Chrome on Android, Safari on iOS, Safari on Mac OSX, Firefox on Linux, and IE on Windows.

    Cookies (since the renaming of the prefix from bb to st) appear to be

    stlastactivity
    stlastvisit
    stpassword
    stsessionhash
    stshowcketoolbar
    stuserid


    I note that vbulletin.com/forum appears to have a different set of cookies (are you running a different forum version here than 5.1.0?). The cookies showing for vbulletin.com/forum seem to include something extra called

    "imloggedin" which is set to "yes"

    and, the following:

    vbj_password
    vbj_sessionhash
    vbj_timestamp
    vbj_userid

    vblm_lastactivity
    vblm_lastvisit
    vblm_password
    vblm_sessionhash
    vblm_userid

    The "vblm_" cookies you are using seem to correspond to the "st" cookies we are using. But, you also have the extra "vbj_*" cookies set, and you have the "imloggedin" cookie set.

    To eliminate some sort of possibility that the MySQL uptime has anything to do with it, MySQL has been up and running for about 12 days on our server.

    Assuming my browser (and all of our users' browsers) are maintaining the "st*" cookies listed above, in what other situations does vBulletin decide to make a user log in again? What could cause it to think the session had expired?

    Leave a comment:


  • Wayne Luke
    replied
    And when you're logged in, what are the cookies written to your computer by the site?

    Ultimately, the end user's computer controls cookies. We can only give them data to write if they want to do so.

    Leave a comment:


  • stcorp
    replied
    Thanks for the tips. I don't see anything wrong with our config, but I'll try updating our cookie prefix.

    Currently our entire site is under www.ourdomain.com/forums/ and all of vBulletin is relative to that. We use only www, not non-www.

    In AdminCP -- Settings -- Options -- Cookies and HTTP Header Options we have:
    Path to Save Cookies: "/" (no custom setting enabled)
    Cookie Domain: "(blank)" (no custom setting enabled)
    Session Timeout: "7200"

    In forums/config.php, we have
    $config['cookie_prefix'] = 'bb';

    In forums/core/includes/config.php, we have
    $config['Misc']['cookieprefix'] = 'bb';

    We'll be changing the 'bb' above to something else short just to see if that solves the problem. But...given what you said...nothing about our configuration should cause the problem I described, right? We have a very vanilla install with only minor phrase/template modifications.


    Leave a comment:


  • Wayne Luke
    replied
    Remember Me should last 30 days with clean cookies. If you're making changes to the cookie, have an invalid cookie path or domain, use www and non-www, you your results will vary.

    Set your cookie path and cookie domain to their defaults: Cookie Path - / ; Cookie Domain should be blank.

    Use .htaccess to redirect to either www or non-www. Set your site URLS to match under Settings -> Options -> Site Name / URL / Contact Details.

    Clear/Reset everyone's cookies by updating your Cookie Prefix in your /config.php and /core/includes/config.php. They must match exactly and should be short.

    See if that resolves the problem.

    Leave a comment:


  • Question about 'Remember me', cookies, and having to log in over and over

    We have the "Session Timeout" field in AdminCP -- Settings -- Options -- Cookies and HTTP Header Options set to "7200", which is 2 hours. We have assumed this applies to people who have NOT checked the 'Remember Me' box when logging in.

    However, our users are reporting that despite checking "remember me", they often have to log back in multiple times in a day.

    I experience this myself with Chrome on Linux, Chrome on Windows, and Chrome on an Android phone. Whether logging in as the primary administrator or as myself, even after checking "Remember Me", the site forgets that I am logged in (or for some reason my browser deletes my login cookie, assuming that is how it works).

    Is the "Session Timeout" field for users who have not checked "Remember Me"?

    Assuming so, how is Remember Me implemented -- what should we be seeing in terms of browser cookies, and what can we look for to figure out why the site (or browsers) isn't maintaining whatever information needs to be maintained to make sure that users stay logged in with "Remember Me"?

    How long is "Remember Me" supposed to last?

Related Topics

Collapse

Working...
X