Unforgiving Timeout

[jacksutherland]

The plugin is logging active users out roughly every 10 minutes, without warning or saving progress. I would think if the user was active it wouldn't timeout. However, currently the plugin will kill the session while the user is editing an entry. There's no way of knowing this until the page refreshes, so our editors are continuing to make edits, but since the session is dead autosave is no longer saving their progress. So whenever they try to save manually, they get redirected to login with any work they've done since the session ended lost.

Ideally the session would not get interrupted if the user is active... Or at least auto-saving changes before killing it would be helpful.

[roelvanhintum]

HI @jacksutherland, which version of craft, this plugin and maybe other plugins are you using? Current versions of this plugin sets values on the current session, which means craft itself should be in charge of session duration.

[jacksutherland]

Hi @roelvanhintum, we keep the site updated to the latest. It's currently at 3.7.47.1, but was doing this before this update as well. There are quite a few other plugins installed: Admin Bar, Control Panel CSS, FreeForm, Knock Knock, Mix, Redactor, Retour, SEOMatic, Servd Assets and Helpers, Sherlock, Super Table, and Typed Link Field.

Disabling the 2FA plugin corrects the problem and session is maintained as usual, even with the rest of these enabled.

[roelvanhintum]

Is the 2FA plugin at version 2.10.0? Do you have any session related settings in your general.php? You could check what the $sessionDuration on controllers/VerifyController.php:L43 returns.

[jacksutherland]

No. It's pretty minimal. We use Servd, which handles some configuration across environments. Could that be a factor?

Also, if it were just a shortened session duration, it wouldn't be too bad. The bigger problem is that it's ending abruptly while they're making changes, without any notification to the user. So they're continuing to make edits, and it's all lost as soon as they click save... Then the CP redirects to the login.

[jacksutherland]

@roelvanhintum we upgraded to Craft 4 and it still happens. I set userSessionDuration = 0, which should make it not timeout at all, but it still does after about 10 minutes. And only when 2FA is installed and enabled. I also found this log entry when it last occurred....

[06/Aug/2022:00:26:47 +0000] "GET /index.php/control/actions/users/session-info?dontExtendSession=1 HTTP/1.1" 200 464 0.078 "https://www.mywebsite.com/control/entries/solutions?sort=structure-asc" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" upstream

Any ideas?

[roelvanhintum]

Those are both craft's own calls, which looks normal. I'm guessing you're using 2FA 3.0.1?

I think we need to debug this. Can you check what $sessionDuration returns in your case? https://github.com/born05/craft-twofactorauthentication/blob/3.0.1/src/controllers/VerifyController.php#L42

And just to be sure, can you dump $event->cookieBased and $event->duration? https://github.com/born05/craft-twofactorauthentication/blob/3.0.1/src/Plugin.php#L66

[jacksutherland]

We were finally able to resolve this with the help of the team at Servd. They ultimately wound creating a new PHP session handler. They wrote a blog article about it if you're interested... https://servd.host/blog/craft-yii-and-redis-session-absentee

As it turns out, the 2FA plugin was NOT the cause the problem. But it was contributing to data loss when the timeout occurred. When Craft times out it gives you a modal window to re-enter your password, so you can seamlessly resume whatever you were doing after re-authenticating. However, since the plugin requires 2FA as well, it redirects you to the 2FA screen, losing any unsaved data you had open. If possible, it may help to present the user with a 2FA modal after they re-enter their password, to avoid the redirect?

Just a thought. Thanks for your help!

[roelvanhintum]

Thanks for all the info!! I'm happy Servd was able to find what was going on. Regarding the login popup: Previously it wasn't possible to hook into the login popup flow (AuthManager.js). I don't think this has changed yet, but i'm still hoping this will become an option. see: #11