Announcement

Collapse
No announcement yet.

Session Issues, Staying Logged In

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Session Issues, Staying Logged In

    We just went live with the most recent version of VB, upgraded from 3.8.2.

    A lot of complaints from users that they have to log in every time they return to the site.

    They log in fine, no issues, but when they return the next day (or even a few hours later) they have to log in again, even with "remember me" checked off.

    Some users did have issues logging in the first time, even with the correct password.

    Could there be cookie conflicts from their old 3.8.2 cookies?

    Any possible conflict with memcache and having several instances of the site?

  • #2
    vBulletin 5.6.4 does use the same cookie names. Make sure that the cookie prefix in the /config.php and the /core/includes/config.php file are exact matches. Changing these to a new prefix will invalidate all old cookies.

    Memcache has nothing to do with logging in via Cookies.

    You shouldn't have several instances of a site. If you have secondary domains or URLs, they should all redirect to the main domain name before the user is presented with the website.

    Also note that a lot of "Privacy" extensions and anti-virus tools will delete cookies when the browser is closed. Many browsers also offer this as a setting.
    Translations provided by Google.

    Wayne Luke
    The Rabid Badger - a vBulletin Cloud demonstration site.
    vBulletin 5 API

    Comment


    • #3
      Originally posted by Wayne Luke View Post
      vBulletin 5.6.4 does use the same cookie names. Make sure that the cookie prefix in the /config.php and the /core/includes/config.php file are exact matches. Changing these to a new prefix will invalidate all old cookies.

      Memcache has nothing to do with logging in via Cookies.

      You shouldn't have several instances of a site. If you have secondary domains or URLs, they should all redirect to the main domain name before the user is presented with the website.

      Also note that a lot of "Privacy" extensions and anti-virus tools will delete cookies when the browser is closed. Many browsers also offer this as a setting.
      The majority of users have no issues logging in, but don't stay logged in for extended periods. Even I had to log in again when I woke up in the morning, although I clicked remember me the night before. I never close the browser.

      Comment


      • #4
        Did you have a cookie prefix and domain defined in vBulletin 3?

        Due to security best practices implemented over the last 15 years since vBulletin 3's release, these value really don't do anything and can cause problems with cookies. Even with vBulletin 3 and 4, these values were often not needed and often abused. They should be the default values. In order to change these in vBulletin 5.6.4, you need to put the site in Debug Mode. Then they can be found under Settings -> Options -> Version Info and Other Untouchables.
        Translations provided by Google.

        Wayne Luke
        The Rabid Badger - a vBulletin Cloud demonstration site.
        vBulletin 5 API

        Comment


        • #5
          Originally posted by Wayne Luke View Post
          Did you have a cookie prefix and domain defined in vBulletin 3?

          Due to security best practices implemented over the last 15 years since vBulletin 3's release, these value really don't do anything and can cause problems with cookies. Even with vBulletin 3 and 4, these values were often not needed and often abused. They should be the default values. In order to change these in vBulletin 5.6.4, you need to put the site in Debug Mode. Then they can be found under Settings -> Options -> Version Info and Other Untouchables.
          I would have to check what the VB 3 settings were, but we never had login issues. I was almost never logged out.

          One cache issue I see, maybe memcache related or maybe not, is when I change settings in admincp, I come back and the setting I just changed is still the same. I do it 2 or 3 times before I actually see the setting change listed in admincp. It may very well have changed the first time around and I'm seeing a cache.

          Comment


          • #6
            Could be memcache or something like Cloudflare. I recommend not caching the AdminCP with cPanel. If you're not using the default .htaccess file or don't have modules like mod_expires installed, then you may be missing some caching commands that can help prevent this.
            Translations provided by Google.

            Wayne Luke
            The Rabid Badger - a vBulletin Cloud demonstration site.
            vBulletin 5 API

            Comment


            • #7
              Originally posted by Wayne Luke View Post
              Could be memcache or something like Cloudflare. I recommend not caching the AdminCP with cPanel. If you're not using the default .htaccess file or don't have modules like mod_expires installed, then you may be missing some caching commands that can help prevent this.
              We've tracked down the issue. For some reason remember me is not working as intended. We're using the API for login, but clicking remember me is not extending the timeout beyond the session time listed in admincp.

              Comment


              • #8
                I suggest switching to the use the login2 API call - vBulletin 5.6.5 API (vb5support.com). You can see the code for this in /core/vb/api. If you have downloaded the PHAR version of vBulletin, you can download an uncompressed version under More Download Options on the download page. Select "Customize my download" to see the PHAR options.

                Remember me works by looking for Cookies on the end-user's device. The API does not write these cookies. It cannot. Returns the UserID and Password and expects the calling application to write the cookies. Remember Me is inferred from the {prefix}password cookie. Where {prefix} is the cookie prefix stated in your config.php files. There is nothing to actually extend the session timeout, that is used differently. I don't know if it matters but our native vBulletin 5 clients use HTTPONLY cookies for this information so it is not accessible via Javascript. This is considered more secure.
                Translations provided by Google.

                Wayne Luke
                The Rabid Badger - a vBulletin Cloud demonstration site.
                vBulletin 5 API

                Comment


                • #9
                  Originally posted by Wayne Luke View Post
                  I suggest switching to the use the login2 API call - vBulletin 5.6.5 API (vb5support.com). You can see the code for this in /core/vb/api. If you have downloaded the PHAR version of vBulletin, you can download an uncompressed version under More Download Options on the download page. Select "Customize my download" to see the PHAR options.

                  Remember me works by looking for Cookies on the end-user's device. The API does not write these cookies. It cannot. Returns the UserID and Password and expects the calling application to write the cookies. Remember Me is inferred from the {prefix}password cookie. Where {prefix} is the cookie prefix stated in your config.php files. There is nothing to actually extend the session timeout, that is used differently. I don't know if it matters but our native vBulletin 5 clients use HTTPONLY cookies for this information so it is not accessible via Javascript. This is considered more secure.
                  That's what we're doing.

                  What's your advice for lag? We have quite a few users complaining about the current board being slower, in some instances much slower, than 3.8.2. On a test board, with all data migrated, it was very quick. But when we went live, it really slowed down in some areas.

                  Over 20 million posts, over 800,000 topics. Over 200K users, around 2-4K viewers inside the forum at any given time between registered users and guests (the bulk of them being guests).

                  More server resources to speed up performance or some tricks to try on the VB backend?

                  Comment


                  • #10
                    Originally posted by Wayne Luke View Post
                    I suggest switching to the use the login2 API call - vBulletin 5.6.5 API (vb5support.com). You can see the code for this in /core/vb/api. If you have downloaded the PHAR version of vBulletin, you can download an uncompressed version under More Download Options on the download page. Select "Customize my download" to see the PHAR options.

                    Remember me works by looking for Cookies on the end-user's device. The API does not write these cookies. It cannot. Returns the UserID and Password and expects the calling application to write the cookies. Remember Me is inferred from the {prefix}password cookie. Where {prefix} is the cookie prefix stated in your config.php files. There is nothing to actually extend the session timeout, that is used differently. I don't know if it matters but our native vBulletin 5 clients use HTTPONLY cookies for this information so it is not accessible via Javascript. This is considered more secure.
                    What I noticed with API login, you may have more insight. Is during testing, when I would log in on my end (dedicated IP) on several devices, it would log out another person (using same account with different IP). It's like I killed his sessions.

                    Comment


                    • #11
                      Originally posted by boxingscene View Post

                      What I noticed with API login, you may have more insight. Is during testing, when I would log in on my end (dedicated IP) on several devices, it would log out another person (using same account with different IP). It's like I killed his sessions.
                      Adding to that, the individual being logged out is right back in, by clicking on something in forum or reloading page. I assume one IP login creates a momentary zap to the other person's session, until they do something else in the forum (likely reads the cookie I assume?).

                      Comment


                      • #12
                        The IP Address shouldn't overwrite someone's session. Are you writing the sessionid to the user's cookies?

                        Adding to that, the individual being logged out is right back in, by clicking on something in forum or reloading page. I assume one IP login creates a momentary zap to the other person's session, until they do something else in the forum (likely reads the cookie I assume?).
                        This is exactly how "Remember Me" works. vBulletin creates a sessionid for each user in the session table. This record is valid for amount of time specified in the wait_timeout variable. This defaults to 15 minutes and can be changed in the settings. This is extended with every page load since cookies are rewritten. When the session expires, the system logs that user out. When someone with remember me visits, vBulletin sees they have a userid and password cookie and logs them back in. This will create a new sessionid, if necessary, that lasts 15 minutes. Rinse and Repeat.

                        Your API calls would have to refresh the sessionid cookies on every page load.
                        Translations provided by Google.

                        Wayne Luke
                        The Rabid Badger - a vBulletin Cloud demonstration site.
                        vBulletin 5 API

                        Comment


                        • #13
                          Just a side question. We had node cache turned off. When I turned it on, it started fast but then began to create some weird spikes across the forum when clicking around, a real slowdown and some items were not loading correctly - until it was turned off.

                          Any reason why it would do that? Any thing that can create a conflict for node cache?

                          Comment


                          • #14
                            Sounds like you're using MyISAM tables if that slows down your site. All tables should be using INNODB except the language, phrase, and usertext tables.
                            Translations provided by Google.

                            Wayne Luke
                            The Rabid Badger - a vBulletin Cloud demonstration site.
                            vBulletin 5 API

                            Comment


                            • #15
                              Originally posted by Wayne Luke View Post
                              Sounds like you're using MyISAM tables if that slows down your site. All tables should be using INNODB except the language, phrase, and usertext tables.
                              I confirmed that all of our tables are using INNODB. The other three needs to be MyISAM I gather.

                              Comment

                              Related Topics

                              Collapse

                              Working...
                              X