?
avatar nirovi
nirovi
21 Sep 2017

Steps to reproduce the issue

I did a test with Joomla 3.8.0,
I set the session duration in configuration to 2 minutes,
I created a "manager" user and logged in with this user in frontend,
after 4 minutes, the super user user was no longer logged into administration, while the user manager was still logged in to the frontend.
It seems then that the frontend does not expire the session.

Expected result

Session Frontend ends after 2 minutes

Actual result

Frontend Session does not expire

System information (as much as possible)

Joomla 3.8.0

Additional comments

I have tested this results also with joomla 3.6.5 and joomla 3.7.5

avatar nirovi nirovi - open - 21 Sep 2017
avatar joomla-cms-bot joomla-cms-bot - labeled - 21 Sep 2017
avatar AlexRed
AlexRed - comment - 21 Sep 2017

I can confirm the problem in Joomla 3.8.0 and Joomla 3.7.5


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/18040.

avatar franz-wohlkoenig franz-wohlkoenig - change - 21 Sep 2017
Category Front End Authentication Front End
avatar franz-wohlkoenig franz-wohlkoenig - change - 21 Sep 2017
Priority Urgent Medium
Status New Confirmed
avatar franz-wohlkoenig
franz-wohlkoenig - comment - 21 Sep 2017

Status on Issue Tracker set on "Confirmed".

Thanks for confirming @AlexRed


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/18040.

avatar wilsonge
wilsonge - comment - 21 Sep 2017

I can't reproduce. I upgraded from 3.6.5 to 3.8.0, changed my session from 15 to 2 minutes, signed out and back in again, then waited about 30 because i got distracted. But when I came back to the admin panel, and went to a different page I was signed out.

avatar mbabker
mbabker - comment - 21 Sep 2017

If you are on a frontend page that triggers the keepalive behavior (this can be seen in the page's source, look for keepalive.js being loaded), then it is expected that the session won't expire. Joomla core commonly loads this on pages with form actions to avoid the possibility of the "invalid token" error message (if the session expires before you've submitted the form the token wouldn't be valid because the value is stored to the session for comparison).

avatar nirovi
nirovi - comment - 21 Sep 2017

In my Frontend I don't have any Form actions.


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/18040.

avatar mbabker
mbabker - comment - 21 Sep 2017

Cannot confirm.

Logged into https://downloads.joomla.org/ backend, set session time to two minutes. Logged into the frontend, navigated to https://downloads.joomla.org/latest and verified that the keepalive behavior was not loaded. Went and read some other stuff, came back about three minutes later and navigated to another page. Checked the footer (we have some conditional code in our template that changes the "Log in" text to "Log out" when authenticated), I had been correctly logged out.
Navigating to the login page gave me the login form, not the log out button.

avatar AlexRed
AlexRed - comment - 21 Sep 2017

nirovi remember also the "login form" module is a form. Also if you are logged the login form is here.
If you use the login module in frontend the users session won't expire

avatar brianteeman
brianteeman - comment - 27 Sep 2017

Unable to reproduce

avatar franz-wohlkoenig franz-wohlkoenig - change - 28 Sep 2017
Status Confirmed Information Required
avatar franz-wohlkoenig
franz-wohlkoenig - comment - 30 Sep 2017

@nirovi any Updates on this Issue?


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/18040.

avatar nirovi
nirovi - comment - 2 Oct 2017

Hi, for me the problem is still there. The front end session does not expire. This is for me a security problem in case the logged user is a publisher. I have in all page a log out botton. But I did not find the keepalive function. How Can I solve this behavour ?

The login module I'm using is : BT Login Module Version 2.6.1 BT

Thanks.


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/18040.

avatar alikon
alikon - comment - 2 Oct 2017

unpublish that "BT Login Module Version 2.6.1 BT" module maybe is not compatible with 3.8
and use the core login module in the meantime

avatar AlexRed
AlexRed - comment - 2 Oct 2017

also with the core login module the users session won't expire like explained by mbabker. All forms load the keepalive.js

avatar brianteeman
brianteeman - comment - 2 Oct 2017

Actually the BT Login Module does not support keepalive functionality - it does not have the line JHtml::_('behavior.keepalive'); ie it does not force the session not to expire

Also I use this module on a few sites. I can not confirm that this module is forcing the session not to expire.

So in conclusion your issue is not with the BT Login Module

avatar nirovi
nirovi - comment - 2 Oct 2017

Perfect if is not this module, how can i find the keepalive module in my websiste?


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/18040.
avatar brianteeman
brianteeman - comment - 5 Oct 2017

You would need to read the code. OR try disabling all the modules one at a time. Either way it is not an issue with the core which is working correctly. I am closing this here. If you need further support please use the forum https://forum.joomla.org

avatar brianteeman brianteeman - change - 5 Oct 2017
Status Information Required Closed
Closed_Date 0000-00-00 00:00:00 2017-10-05 13:00:41
Closed_By brianteeman
avatar brianteeman brianteeman - close - 5 Oct 2017

Add a Comment

Login with GitHub to post a comment