Regression - Sessions are expiring too fast

[nunoperalta]

Steps to reproduce

1. Stay ~1 hour inactive (not focusing the phpMyAdmin tab)
2. Click a link
3. Your session is expired

Expected behaviour

Stay log in for as long as your setting "Login cookie validity" says.
My setting is "604800", but my session is expiring in ~1 hour (can't know exact time)

This was working in 4.7.8.

Actual behaviour

Logging out / session expires too fast

Server configuration

Operating system: CentOS

Web server: Apache

Database: MariaDB

PHP version: 7.2

phpMyAdmin version: 4.7.9

Client configuration

Browser: Chrome 52

Operating system: Win 10

[mastrobirraio]

To increase the phpMyAdmin Session Timeout, open config.inc.php in the root phpMyAdmin directory and add this setting (anywhere).

$cfg['LoginCookieValidity'] = <your_new_timeout>;
Where <your_new_timeout> is some number larger than 1800.

[nunoperalta]

Hello,

Like I said above, my Login Cookie Validity is 604800, and has been working well in previous versions of phpMyAdmin.

Thank you.

[nunoperalta]

In 4.8.0, it appears that the LoginCookieValidity setting has disappeared from the Settings (or at least I don't seem to be able to find), so I've just added the following to the config file:

$cfg['LoginCookieValidity'] = 604800;

I'll let you know if this resolves the issue.

[nunoperalta]

Hello,

I confirm that sessions are still expiring quickly, even though I added the above configuration.

Versions affected: 4.7.9, 4.8.0

Thank you.

[nunoperalta]

This might be because Sessions are expiring because of "session.gc_maxlifetime".

However, pretty sure that this was working before 4.7.9, even if gc_maxlifetime was small.

I don't want to be changing the global session max life time just because of phpMyAdmin.

Isn't phpMyAdmin supposed to keep me alive for as long as I have a window/tab open, with background requests?

It appears that was implemented not so long ago... #6229 #1355

Was that reverted?

[williamdes]

phpmyadmin/libraries/config.default.php

Lines 786 to 792 in 003da01

	/**
	* validity of cookie login (in seconds; 1440 matches php.ini's
	* session.gc_maxlifetime)
	*
	* @global integer $cfg['LoginCookieValidity']
	*/
	$cfg['LoginCookieValidity'] = 1440;

@nunoperalta Do you have the following warning ?

[nunoperalta]

I don't have any warnings appearing in the homepage.
Thank you.

[williamdes]

@nunoperalta do you still have this issue ?

[nunoperalta]

Since long ago, this seems to be a lot more stable.

However, I think that since 5.0.0, when the session expires, the page goes to the logged out page automatically, while before, it stayed on the same page until I do something first (e.g. press a button).

This is not fully confirmed yet, but I can try to find whether this is the case or not.

[nunoperalta]

Yup - definitely happening. I left the page open during the night, and now in the morning, I lost what I had opened.

I don't mind having some alert somewhere saying the session is expired, but I'd prefer if I didn't lose the page that was previously open.

[williamdes]

Thank your for the testing.
I need to do some research but it is possible that the php sessions expire more quickly than we defined in $cfg['LoginCookieValidity'] = 604800;

[yashrajbothra]

I don't mind having some alert somewhere saying the session is expired, but I'd prefer if I didn't lose the page that was previously open.

Did you mean after log-in you should be on same page ?

[nunoperalta]

Guys,

For sure, the time the session takes to expire isn't the problem for me anymore. I think it's simply the definition in "session.gc_maxlifetime", which is ok for me. (definitely improved since I reported this bug)

However, the fact that now phpMyAdmin kicks me off automatically from every open tab, redirecting all tabs to the Log In page is the problem for me.

Before 5.0.0, the session expired, but the page stayed open until I click a button or navigate.
At least I knew what was open on the tab and I could go again to the same place.

Now, I come back to work after many hours, and I have many tabs all redirected to the Log In page, and have no idea what I was doing before on each tab.

What would be nice is that when phpMyAdmin detects the session expired, do NOT redirect me automatically, but instead just show a popup saying (more or less these words - this is just a draft):

Your session has expired. Press "Log In" to leave this page and log in again, or press "Stay" to stay in this page. If you navigate or press any button, you will lose your changes and be required to log in again.

[williamdes]

What would be nice is that when phpMyAdmin detects the session expired, do NOT redirect me automatically, but instead just show a popup saying

@nunoperalta I think what you are asking for was implemented in #14313 but maybe does not work in your case

[nunoperalta]

Strange... I have never seen a popup about being logged out, in phpMyAdmin.
Surprised it was implemented in 2018...

Either I see nothing and I am being redirected as soon as I do something on the current page, or now with 5.0.0, I am automatically redirected without notice.

[yashrajbothra]

Don't Worry @nunoperalta I will test this issue and let you know 👍

[yashrajbothra]

As @nunoperalta said there was no popup shown up 😕

[yashrajbothra]

Ohh sorry Actully this is a model but covering the whole page so cant really say that its a model

[yashrajbothra]

the functionality is fine though 👍

UI could be little better i guess?

[williamdes]

@yashrajbothra are you sure to have tested the case where session.gc_maxlifetime < $cfg['LoginCookieValidity']

In that case does the modal work as good ?

[yashrajbothra]

@williamdes Yes, It works even in that case but it doesnt work as desired.

Like the session.gc_maxlifetime=200 and $cfg['LoginCookieValidity'] = 120; but the automatic logout performed after (about 300 seconds)

[nunoperalta]

Ok - I got the login page today.

It's definitely an overlay, and I see I was back to the same page as before, without a page reload.

I'm 100% ok with this.

However, I think it would be nice if the overlay could say something like:

"You haven't lost your changes."

or

"You will go back to where you left off."

Whatever most appropriate sentence. At least this gives the security to the user that phpMyAdmin didn't inconveniently kick the user out of the page!

For example, what I was doing was closing the page and opening a new one, because I was afraid that if my last page was some UPDATE or ALTER TABLE, reloading the page after a login could potentially re-run that query... (we never know!!)

So, I was playing safe, not realizing that this was a safe way to login, without losing anything.

Hope you consider this small change :)

Thanks!

[yashrajbothra]

Ya either way if we keep the opacity low then user can see his work in background and he will know the works is not lost 👍

[ibennetch]

I'm pretty sure there was a reason this was implemented as it was. If a user walks away from their desk, and phpMyAdmin logs them out, then a malicious user walks past the desk, this hides any details about what the user was working on. I'm not sure whether that continues to be a good justification (in a time when users in that situation should lock the screen of their computer rather than walking away), but I remember some user pushback at the time because they felt that doing otherwise would have been less secure (it could have been one vocal user, I don't remember and haven't looked). As a result, I'd prefer an additional notification message to be displayed saying something like "You have been automatically logged out due to inactivity. Once you log in again, you should be able to resume working where you left off." — what do you think?

[williamdes]

then a malicious user walks past the desk

Malicious but not clever, he could use inspect tool and remove the modal ^^
That said, a high blur effect could hide every readable details .

As a result, I'd prefer an additional notification message to be displayed
saying something like "You have been automatically logged out due to
inactivity. Once you log in again, you should be able to resume working
where you left off." — what do you think?

I agree, and it would be QA_5_0 compatible.
Do you agree for this change to go to QA_5_0 @ibennetch ?

[yashrajbothra]

I think just leaving a message is better than showing some confidential info in background.
Ya ,they can delete modal by inspecting but atleast we should protect as much as we can 👍

[ibennetch]

This change could go to QA_5_0.

[nunoperalta]

Worst case scenario, we can probably have a Setting where the admin can choose whether to fully logout (with a redirect) for security purposes, or have a modal which is less secure.

I would choose the less secure setting, because I don't log into my databases using public computers or mobile devices... and I don't want to lose my work overnight.

[williamdes]

Worst case scenario, we can probably have a Setting where the admin can choose whether to fully logout (with a redirect) for security purposes, or have a modal which is less secure.

It could be a good idea to have a setting 👍

First we can start with a message, and add the setting in another PR

[yashrajbothra]

So far i have good understanding of the issue so i think i can take this up. Can I @williamdes ??

[williamdes]

Yes @yashrajbothra you can take it