[#9016] - REGRESION - session time out
- Closed
- 27 Mar 2016
- Medium
- Build: master
- # 9016
In 3.4.6 and below when a session timed out and you were forced to log back in to joomla you were returned to the page you were on when the session timed out. This is no longer possible.
I forget now which release this feature was added but it was very popular when it was added
| Category | ⇒ | Authentication |
@brianteeman
I tested here after deleting ALL older session cookies and it works fine.
Deleting these cookies also solved the double login issue I had here:
#9011 (comment)
Can you try that?
In fact I still get the double logging at random.
| Labels |
Added:
?
|
||
The problem is not in the redirect itself. And i can confirm it happens also in latest staging.
When the session expires for timeout you're redirect to the admin login page but maintaining the same URI (ex: administrator/index.php?option=com_content), and this is correct.
The problem is when you make the first login attempt, it will not work and with that you're redirect to admin login page URI (/administrator/index.php), after your second login attempt you will be redirected to the control panel, and this is correct because you were in (/administrator/index.php) page before.
Tests done
Scenario 1: Login after session expire.
To see what i mean do the following test:
- Go to global config and change session time to 1 (to test faster).
- Go to Content -> Articles backend page (/administrator/index.php?option=com_content URI) and wait for some time (2 minutes for instance) to let the session expire.
- Refresh the page, you go to the admin panel, but note you're still in /administrator/index.php?option=com_content URI.
- Try to login with your credentials, you can't, it gives "Warning | Your session has expired. Please log in again.". Note the URI has change to just /administrator/index.php
- Try to login with your credentials, you can, but you're not redirected to the page you were
Scenario 2: Fresh login
Now try this:
1. Log out from the backend using the logout button.
2. Change the URI to /administrator/index.php?option=com_content, you will still get the admin login page
3. Login normally and you'll be redirected to the articles list view page.
And try this to simulate a login error in the same scenario:
1. Repeat steps 1 and 2 of the previous instructions.
2. Login with bad credentials and you'll still maintain the same URI.
3. Login with good credentials and you'll be redirected to the page you expect.
Conclusion
So, there seems to be only one problem at play here, the one in scenario 1.
When the session expires, Joomla admin login does not recognizes the first login and redirects to /administrator/index.php in that failure. I have no idea why, maybe some session expert can check this.
Related issues
Related issue #9309
UPDATED with new findings.
Related issue #8851
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/9016.
i think is the same issue as detailed explained in my comment above
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2016-03-27 11:43:05 |
| Closed_By | ⇒ | wilsonge |
Having the option of being able to select if a user who's session has timed out is redirected to the normal entry point vs able to resume at the last location would be good.
In my scenario it would ensure users always enter at the entry point rather than a page they have bookmarked on the inside.