-
-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Regression - Sessions are expiring too fast #14149
Comments
To increase the phpMyAdmin Session Timeout, open
|
Hello, Like I said above, my Login Cookie Validity is 604800, and has been working well in previous versions of phpMyAdmin. Thank you. |
In 4.8.0, it appears that the LoginCookieValidity setting has disappeared from the Settings (or at least I don't seem to be able to find), so I've just added the following to the config file:
I'll let you know if this resolves the issue. |
Hello, I confirm that sessions are still expiring quickly, even though I added the above configuration. Versions affected: 4.7.9, 4.8.0 Thank you. |
This might be because Sessions are expiring because of "session.gc_maxlifetime". However, pretty sure that this was working before 4.7.9, even if gc_maxlifetime was small. I don't want to be changing the global session max life time just because of phpMyAdmin. Isn't phpMyAdmin supposed to keep me alive for as long as I have a window/tab open, with background requests? It appears that was implemented not so long ago... #6229 #1355 Was that reverted? |
phpmyadmin/libraries/config.default.php Lines 786 to 792 in 003da01
@nunoperalta Do you have the following warning ? |
I don't have any warnings appearing in the homepage. |
@nunoperalta do you still have this issue ? |
Since long ago, this seems to be a lot more stable. However, I think that since 5.0.0, when the session expires, the page goes to the logged out page automatically, while before, it stayed on the same page until I do something first (e.g. press a button). This is not fully confirmed yet, but I can try to find whether this is the case or not. |
Thank your for the testing. |
Did you mean after log-in you should be on same page ? |
Guys, For sure, the time the session takes to expire isn't the problem for me anymore. I think it's simply the definition in "session.gc_maxlifetime", which is ok for me. (definitely improved since I reported this bug) However, the fact that now phpMyAdmin kicks me off automatically from every open tab, redirecting all tabs to the Log In page is the problem for me. Before 5.0.0, the session expired, but the page stayed open until I click a button or navigate. Now, I come back to work after many hours, and I have many tabs all redirected to the Log In page, and have no idea what I was doing before on each tab. What would be nice is that when phpMyAdmin detects the session expired, do NOT redirect me automatically, but instead just show a popup saying (more or less these words - this is just a draft):
|
@nunoperalta I think what you are asking for was implemented in #14313 but maybe does not work in your case |
Strange... I have never seen a popup about being logged out, in phpMyAdmin. Either I see nothing and I am being redirected as soon as I do something on the current page, or now with 5.0.0, I am automatically redirected without notice. |
Don't Worry @nunoperalta I will test this issue and let you know 👍 |
|
the functionality is fine though 👍 UI could be little better i guess? |
@yashrajbothra are you sure to have tested the case where In that case does the modal work as good ? |
@williamdes Yes, It works even in that case but it doesnt work as desired. Like the |
Ok - I got the login page today. It's definitely an overlay, and I see I was back to the same page as before, without a page reload. I'm 100% ok with this. However, I think it would be nice if the overlay could say something like: "You haven't lost your changes." or "You will go back to where you left off." Whatever most appropriate sentence. At least this gives the security to the user that phpMyAdmin didn't inconveniently kick the user out of the page! For example, what I was doing was closing the page and opening a new one, because I was afraid that if my last page was some UPDATE or ALTER TABLE, reloading the page after a login could potentially re-run that query... (we never know!!) So, I was playing safe, not realizing that this was a safe way to login, without losing anything. Hope you consider this small change :) Thanks! |
Ya either way if we keep the opacity low then user can see his work in background and he will know the works is not lost 👍 |
I'm pretty sure there was a reason this was implemented as it was. If a
user walks away from their desk, and phpMyAdmin logs them out, then a
malicious user walks past the desk, this hides any details about what the
user was working on.
I'm not sure whether that continues to be a good justification (in a time
when users in that situation should lock the screen of their computer
rather than walking away), but I remember some user pushback at the time
because they felt that doing otherwise would have been less secure (it
could have been one vocal user, I don't remember and haven't looked).
As a result, I'd prefer an additional notification message to be displayed
saying something like "You have been automatically logged out due to
inactivity. Once you log in again, you should be able to resume working
where you left off." — what do you think?
|
Malicious but not clever, he could use inspect tool and remove the modal ^^
I agree, and it would be QA_5_0 compatible. |
I think just leaving a message is better than showing some confidential info in background. |
This change could go to QA_5_0.
|
Worst case scenario, we can probably have a Setting where the admin can choose whether to fully logout (with a redirect) for security purposes, or have a modal which is less secure. I would choose the less secure setting, because I don't log into my databases using public computers or mobile devices... and I don't want to lose my work overnight. |
It could be a good idea to have a setting 👍 First we can start with a message, and add the setting in another PR |
So far i have good understanding of the issue so i think i can take this up. Can I @williamdes ?? |
Yes @yashrajbothra you can take it |
Signed-off-by: Yash Bothra <yashrajbothra786@gmail.com>
Signed-off-by: Yash Bothra <yashrajbothra786@gmail.com>
Signed-off-by: Yash Bothra <yashrajbothra786@gmail.com>
Signed-off-by: Yash Bothra <yashrajbothra786@gmail.com>
Signed-off-by: Yash Bothra <yashrajbothra786@gmail.com>
Signed-off-by: Yash Bothra <yashrajbothra786@gmail.com>
Steps to reproduce
Expected behaviour
Stay log in for as long as your setting "Login cookie validity" says.
My setting is "604800", but my session is expiring in ~1 hour (can't know exact time)
This was working in 4.7.8.
Actual behaviour
Logging out / session expires too fast
Server configuration
Operating system: CentOS
Web server: Apache
Database: MariaDB
PHP version: 7.2
phpMyAdmin version: 4.7.9
Client configuration
Browser: Chrome 52
Operating system: Win 10
The text was updated successfully, but these errors were encountered: