Strange session related behaviour

2 months 1 week ago #324181 by liaskas
Strange session related behaviour was created by liaskas
Hello

We are dealing with a strange situation on a new website that we are setting up. We have enabled both logins through community builder and Facebook (cb connect).

Case 1
When user logs in with his username and password (cb login module) his session respects the joomla configuration Session Lifetime.

Case 2
When user logs in with his facebook account (cb connect), the session never ends. Never means never! right now i have testes a user that was logged in 3 days ago, on a browser that i do not use and he is still logged in.

I suppose that this is not a matter of keepalive scripts that i have seen many people trying to solve, because if it was related to this, then the session would not end either for normal cb login.

Can you please advise?

Thank you in advance.

Please Log in to join the conversation.

2 months 1 week ago - 2 months 1 week ago #324190 by krileon
Replied by krileon on topic Strange session related behaviour
Your issue isn't caused by CB, but by how Joomla handles database session clean up. Joomla used to purge expired database sessions on every page load, but that was changed in 3.8.4 explained in more detail below. Basically they changed Database session garbage collection to be based off PHP session garbage collection and specifically depends on session.gc_probability being set. If it's set to 0 it means PHP session garbage collection will never happen and thus sessions never expire.

github.com/joomla/joomla-cms/pull/19548

A plugin was added at some point to help with this though. Within Extensions > Plugins be sure "System - Session Data Purge" exists, is published, and public access. If it isn't then database session data will never clear unless PHP session garbage collection is configured. In addition to this it has a probability setting. By default there's only a 1% chance a page load triggers a session clean up. You can adjust this within the plugin using "Probability" and "Divisor" parameters.

Alternatively the recommended approach is to switch to PHP based session handling within Joomla global configuration change "Session Handler" from Database to PHP and just let PHP handle sessions.

More than likely everything is already setup correctly and it's just the 1% probability not clearing the session. I don't think you have anything to worry about. If you need strict session clean up behavior you'll want to setup a CRON task to call Joomlas CI URL for session clean up (sorry, I don't know what it is).


Kyle (Krileon)
Community Builder Team Member
Before posting on forums: Read FAQ thoroughly + Read our Documentation + Search the forums
CB links: Documentation - Localization - CB Quickstart - CB Paid Subscriptions - Add-Ons - Forge
--
If you are a Professional, Developer, or CB Paid Subscriptions subscriber and have a support issue please always post in your respective support forums for best results!
--
If I've missed your support post with a delay of 3 days or greater and are a Professional, Developer, or CBSubs subscriber please send me a private message with your thread and will reply when possible!
--
Please note I am available Monday - Friday from 8:00 AM CST to 4:00 PM CST. I am away on weekends (Saturday and Sunday) and if I've missed your post on or before a weekend after business hours please wait for the next following business day (Monday) and will get to your issue as soon as possible, thank you.
--
My role here is to provide guidance and assistance. I cannot provide custom code for each custom requirement. Please do not inquire me about custom development.

Please Log in to join the conversation.

2 months 1 week ago - 2 months 1 week ago #324202 by liaskas
Replied by liaskas on topic Strange session related behaviour
Thank you for your reply Krileon.

Maybe i was not so clear on the issue explanation.

The problem exists when users login with their facebook account (cb connect plugin). Their session does not end.

If the user enters his user name and pass to login then the session works pretty fine.

Cb connect facebook login has this problem.

Please Log in to join the conversation.

2 months 1 week ago #324213 by krileon
Replied by krileon on topic Strange session related behaviour
CB Connect cannot have any impact on sessions. CB does not manage sessions. The users session is still there because they left the site while logged in, the session expired, and is now waiting to be cleaned up by garbage collection behavior.

This applies to all login sessions as that's the behavior of Joomlas session clean up processes now. There's a 1% chance per page load that expired sessions will be cleared. I've confirmed this using regular login and CB Connect login sessions. You are only noticing it now because Joomla only recently changed this behavior in 3.8.4 and all releases before that the session garbage collection would be applied to every page load.

If you want sessions to always purge on every page load then edit "System - Session Data Purge" in Extensions > Plugins and set "Probability" and "Divisor" both to 100. I don't recommend doing this though. Again, the session is expired it just is not cleared from the database (which is 100% handled by Joomla). If you're using PHP sessions then be sure your PHP session garbage collection is even turned on via session.gc_probability and session.gc_divisor INI settings.


Kyle (Krileon)
Community Builder Team Member
Before posting on forums: Read FAQ thoroughly + Read our Documentation + Search the forums
CB links: Documentation - Localization - CB Quickstart - CB Paid Subscriptions - Add-Ons - Forge
--
If you are a Professional, Developer, or CB Paid Subscriptions subscriber and have a support issue please always post in your respective support forums for best results!
--
If I've missed your support post with a delay of 3 days or greater and are a Professional, Developer, or CBSubs subscriber please send me a private message with your thread and will reply when possible!
--
Please note I am available Monday - Friday from 8:00 AM CST to 4:00 PM CST. I am away on weekends (Saturday and Sunday) and if I've missed your post on or before a weekend after business hours please wait for the next following business day (Monday) and will get to your issue as soon as possible, thank you.
--
My role here is to provide guidance and assistance. I cannot provide custom code for each custom requirement. Please do not inquire me about custom development.

Please Log in to join the conversation.

2 months 1 week ago #324220 by liaskas
Replied by liaskas on topic Strange session related behaviour
Thank you again for your reply Krileon.

Tested login with username and pass. Everyrhing works great. After the session expiration time i have set in joomla configuration the site asked me to login again.

Tested on administrator area, the admin is logged out and he is asked to relogin.

Tested facebook login (cb connect). The session never ends for the user. After 30 minutes he can still post, edit do anything he wants. Session is not expired. It is not a matter of garbage. The user did not close the page and left. I was just sitting there for 30 minutes waiting to see if the session will expire.

Using PHP sessions

local php ini:
session.gc_probability=1
session.gc_divisor = 100

System - Session Data Purge enabled 1/100
Enable Session Data Cleanup: YES
Enable Session Metadata Cleanup: YES

Is there a chance that facebook does not allow the session to expire by setting browser cookies or something like that when logging in?

Unfortunately i do not have another site to test. This happens only to my site?

Please Log in to join the conversation.

2 months 1 week ago #324242 by krileon
Replied by krileon on topic Strange session related behaviour

Tested facebook login (cb connect). The session never ends for the user. After 30 minutes he can still post, edit do anything he wants. Session is not expired. It is not a matter of garbage. The user did not close the page and left. I was just sitting there for 30 minutes waiting to see if the session will expire.

Your test will never work like that. They won't expire due to keepalive (believe default is it refreshes every 5 minutes). It's just sitting there refreshing its timestamp. If the cookie for the session still exists and the session still exists in the database or in PHP they'll still be logged in as well. This means you need to completely close the browser, let the session expire, then open your browser. Assuming garbage collection triggered that session won't exist anymore and they won't be logged in.

session.gc_probability=1
session.gc_divisor = 100

System - Session Data Purge enabled 1/100

This means there is a 1% chance session garbage collection will trigger on a page load.

Is there a chance that facebook does not allow the session to expire by setting browser cookies or something like that when logging in?

No, again CB has no control over sessions.


This isn't really an issue that needs solving or even an issue. Simply leave the sessions alone and let Joomla handle them in time.


Kyle (Krileon)
Community Builder Team Member
Before posting on forums: Read FAQ thoroughly + Read our Documentation + Search the forums
CB links: Documentation - Localization - CB Quickstart - CB Paid Subscriptions - Add-Ons - Forge
--
If you are a Professional, Developer, or CB Paid Subscriptions subscriber and have a support issue please always post in your respective support forums for best results!
--
If I've missed your support post with a delay of 3 days or greater and are a Professional, Developer, or CBSubs subscriber please send me a private message with your thread and will reply when possible!
--
Please note I am available Monday - Friday from 8:00 AM CST to 4:00 PM CST. I am away on weekends (Saturday and Sunday) and if I've missed your post on or before a weekend after business hours please wait for the next following business day (Monday) and will get to your issue as soon as possible, thank you.
--
My role here is to provide guidance and assistance. I cannot provide custom code for each custom requirement. Please do not inquire me about custom development.

Please Log in to join the conversation.

Moderators: beatnantkrileon
Time to create page: 0.425 seconds

Facebook Twitter LinkedIn