MyBB Community Forums

Full Version: [SOLVED] Session Logout for Members and Admins
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Hello together,
I am a former IPB and Vanilla user, tried to get comfortable with phpBB and finally found myBB.

I just love most everything about myBB ... but one thing:

My member sessions constantly require me to login again, accessing the ACP requires me to login a second time and also constantly requires me to login again.

Partly that may come from be accessing the forum from several mobile devices with changing IP adresses.

I just don't want that.
My devices are all secure as it can get and personal, if I ever would use a different computer, I would make sure to logout.

I want to login once, also be able to constantly access the ACP without a second login and don't get logged out as member or admin ever, or at least not for one year.

The situation is nearly killing me.

To this goal, I tried to modify several parts of the forum's php files - me being Unix-experienced but I am not a php or web programmer at all.

Going to write what I did in the next posting.

I disabled the daily session cleanup:

FILE: ./inc/tasks/dailycleanup.php_ORIG
35c35
<      $db->delete_query("sessions", "time < '".(int)$time['sessionstime']."'");
---
>      //$db->delete_query("sessions", "time < '".(int)$time['sessionstime']."'");

I changed the expire variable in the "my_setcookie" function:

FILE: ./inc/functions.php_ORIG
2258,2269c2258,2264
<      if($expires == -1)
<      {
<              $expires = 0;
<      }
<      elseif($expires == "" || $expires == null)
<      {
<              $expires = TIME_NOW + (60*60*24*365); // Make the cookie expire in a years time
<      }
<      else
<      {
<              $expires = TIME_NOW + (int)$expires;
<      }
---
>      if ($expire == -1 || $expire == 0 || $expire == "" || $expire == null)
>              $expire = TIME_NOW + (60*60*24*365);
>
>      if ($expire > time())
>              $expire = TIME_NOW + (60*60*24*365);

I also changed the "mybbuser" cookie:

FILE: ./member.php_ORIG
397c397,398
<                      my_setcookie("mybbuser", $user_info['uid']."_".$user_info['loginkey'], null, true, "lax");
---
>                      my_setcookie("mybbuser", $user_info['uid']."_".$user_info['loginkey'], TIME_NOW+(60*60*24*365), true, "lax");

And finally, I removed the whole "Login key has changed - force logout" section from admin/index.php so that the user will not get unset, or deleted after 2 hours or if there is some IP network change (which I have all over the day).

But still, I get login windows over and over again.

On my iPad, closing Safari also requires me to login again (or is this an Apple problem???)

Also, even after login, I need to login a second time to access the ACP ... I do not yet have an idea how to change this. One login is enough for me, at least when the sessions expire.

What I am missing here?
Please :-)

How to get rid of the automatic logout?
Am I the only who hates to constantly login again?!?
The relevant part should be the 7200 at https://github.com/mybb/mybb/blob/mybb_1...x.php#L426

Other modifications can be restored to original. The loginkey only changes when the user's password changes - different IP addresses shouldn't affect authentication (unless these constants are modified: https://github.com/mybb/mybb/blob/mybb_1...hp#L14-L16).
(2022-08-24, 08:53 AM)Devilshakerz Wrote: [ -> ]The relevant part should be the 7200 at https://github.com/mybb/mybb/blob/mybb_1...x.php#L426

Other modifications can be restored to original. The loginkey only changes when the user's password changes - different IP addresses shouldn't affect authentication (unless these constants are modified: https://github.com/mybb/mybb/blob/mybb_1...hp#L14-L16).

Ohhh, many many thanks!

Going to test this tonight 😅🤗

I was already so frustrated ...

(2022-08-24, 08:53 AM)Devilshakerz Wrote: [ -> ]The relevant part should be the 7200 at https://github.com/mybb/mybb/blob/mybb_1...x.php#L426

Other modifications can be restored to original. The loginkey only changes when the user's password changes - different IP addresses shouldn't affect authentication (unless these constants are modified: https://github.com/mybb/mybb/blob/mybb_1...hp#L14-L16).

Sadly, this line was part of what I completely deleted from this file.

I deleted from line 418 with "Login key has changed - force logout" the whole "if" and "else" parts. - till line 491.

I will still try your suggestion, get everything to original again and only remove the above "if" part (deleting the "else" keyword and brackets).

And ... should the loginkey not better changed at (active) logout?
I mean, isn't this the point of login out and making sure that the old key does not work anymore?
Just wondering.

I did what I wrote above but can of course not yet see the effect - will check tomorrow again after also closing the web browsers and several hours absence.

But then, I already noticed something while testing:

Loggin into the ACP on my Mac will log me out on the iPad and vice versa!

And that's only two devices ... I am logged in normally on 2 iPads, a Mac and an iPhone.
And of course one session should not loggout the other session!

Any idea how to fix this? :-O
This is a greatly confusing default configuration, to be honest.
I am using the device at hand and like with any other forum or website, I wanna stay logged in ...

Adding more details, the regular login can be used on multiple devices, but as soon as I login (sadly a second time) for the ACP, I get completely logged out from all other devices where I logged into the ACP (which is all of them)!

This is ... horrible ...in lack of a better term.

I will try to find the code that is responsible for this.
Any help would be appreciated :-)

I thought it would be this setting:

// Set cookie path to our admin dir temporarily, i.e. so that it affects the ACP only
//$loc = get_current_location('', '', true);
//$mybb->settings['cookiepath'] = substr($loc, 0, strrpos($loc, "/{$config['admin_dir']}/"))."/{$config['admin_dir']}/";


But sadly, this did not change the behavior.
(2022-08-24, 05:06 PM)tja.mybb Wrote: [ -> ]And ... should the loginkey not better changed at (active) logout?
I mean, isn't this the point of login out and making sure that the old key does not work anymore?
Just wondering.

Generally, loginkey (used for authentication in the frontend) would continue to stay secret when the cookie is deleted, so currently it's left unchanged on the server even after logging out, but we plan to improve this in the future (https://github.com/mybb/mybb/issues/3662).

The ACP uses a separate mechanism for sessions, and primarily relies on a random value (adminsid) generated for each session instead.

Active ACP sessions may be particularly risky, so the (currently) hardcoded tiemout period is relatively small, and administrators have to log into the ACP separately, regardless of the session status in the frontend.

If you intend to keep the ACP sessions active in the end, consider these precautions in particular:
https://docs.mybb.com/1.8/administration...-directory
https://docs.mybb.com/1.8/administration...e-browsing

Quote:But then, I already noticed something while testing:

Loggin into the ACP on my Mac will log me out on the iPad and vice versa!

And that's only two devices ... I am logged in normally on 2 iPads, a Mac and an iPhone.
And of course one session should not loggout the other session!

Any idea how to fix this? :-O
This is a greatly confusing default configuration, to be honest.
I am using the device at hand and like with any other forum or website, I wanna stay logged in ...

Adding more details, the regular login can be used on multiple devices, but as soon as I login (sadly a second time) for the ACP, I get completely logged out from all other devices where I logged into the ACP (which is all of them)!

This is ... horrible ...in lack of a better term.

I will try to find the code that is responsible for this.
Any help would be appreciated :-)

Try commenting out this line: https://github.com/mybb/mybb/blob/mybb_1...x.php#L266
Finally, I found it :-)


root@alpha:~/forum# diff admin/index.php_ORIG admin/index.php
266c266
< $db->delete_query("adminsessions", "uid='{$mybb->user['uid']}'");
---
> // $db->delete_query("adminsessions", "uid='{$mybb->user['uid']}'");


This let's me login to ACP on multiple devices!

I also removed the block about the admin session expiry after 2 hours and did the same to the daily cleanup as posted above.

I am happy!

And then I added a new "Yes / No" setting for the forum to be able to configure this:

[attachment=45396]

Cannot make this screenshot larger :-(

(2022-08-24, 08:06 PM)Devilshakerz Wrote: [ -> ]
(2022-08-24, 05:06 PM)tja.mybb Wrote: [ -> ]And ... should the loginkey not better changed at (active) logout?
I mean, isn't this the point of login out and making sure that the old key does not work anymore?
Just wondering.

Generally, loginkey (used for authentication in the frontend) would continue to stay secret when the cookie is deleted, so currently it's left unchanged on the server even after logging out, but we plan to improve this in the future (https://github.com/mybb/mybb/issues/3662).

The ACP uses a separate mechanism for sessions, and primarily relies on a random value (adminsid) generated for each session instead.

Active ACP sessions may be particularly risky, so the (currently) hardcoded tiemout period is relatively small, and administrators have to log into the ACP separately, regardless of the session status in the frontend.

If you intend to keep the ACP sessions active in the end, consider these precautions in particular:
https://docs.mybb.com/1.8/administration...-directory
https://docs.mybb.com/1.8/administration...e-browsing

Quote:But then, I already noticed something while testing:

Loggin into the ACP on my Mac will log me out on the iPad and vice versa!

And that's only two devices ... I am logged in normally on 2 iPads, a Mac and an iPhone.
And of course one session should not loggout the other session!

Any idea how to fix this? :-O
This is a greatly confusing default configuration, to be honest.
I am using the device at hand and like with any other forum or website, I wanna stay logged in ...

Adding more details, the regular login can be used on multiple devices, but as soon as I login (sadly a second time) for the ACP, I get completely logged out from all other devices where I logged into the ACP (which is all of them)!

This is ... horrible ...in lack of a better term.

I will try to find the code that is responsible for this.
Any help would be appreciated :-)

Try commenting out this line: https://github.com/mybb/mybb/blob/mybb_1...x.php#L266

Oh, I only now see your reply - many many thanks for this!
Luckily, I meanwhile found the line and changed it so:


                if ($mybb->settings['PARALLEL_ACPS'] == "0") {
                        $db->delete_query("adminsessions", "uid='{$mybb->user['uid']}'");
                }


I am going to read the two links you posted, thanks again!

I am happy for now and can continue to participate in our forum.

Bets wishes!

I tried to add an .htaccess file, but this will restart the whole "login over and over again" issue, as the password was asked again after the browser was closed.
So, I removed it again.

I suppose, the same is true for the ACP pin.

As I would not like to rename the admin directory to something cryptic, I will check out 2FA - maybe this can help.
If not, I can still try the renaming.

Thanks for the suggestions, @Devilshakerz

2FA with OTP Authy works like a charm, that should do the deal.