Suma Server Keeps Logging Admin User Out

[thisguyiknow]

Sydney Thompson, who used your Suma software at NC State, had me install it to use here at CWU. After she logs into the Suma server admin, any link she clicks on next will send her back to the login page for the Suma server admin. (Examples: "Edit locations", "Edit initiatives", "Direct JSON Import". She experiences this issue when accessing from on-campus and at home via our campus VPN. I wasn't able to recreate her issue from home via VPN, but when I tried it on my work computer (via remote desktop) I experienced the same issue. Some things I tried or checked:

• Checked Apache access and error logs for any PHP errors. Nothing relevant there.
• Checked sumaserver.log for any indication of what the issue might be. I didn't see anything relevant there either.
• Verified Apache settings.
• Verified all config.yaml files.
• Tried completely clear my web browser's cache / cookies.
• Set SUMA_DEBUG variable to true.
• Tried a different browser.

Sydney JUST emailed me and now it's working for her at work and from home. Issue is annoyingly sporadic. Do you have any idea what else might cause this issue? Anything specific to check?

[cazzerson]

Thanks for writing. This is a really strange issue that I don't think we've seen before. As you can see below, Suma's administrative authentication component is extremely simple: https://github.com/suma-project/Suma/blob/master/service/controllers/AdminController.php#L410-L422 https://github.com/suma-project/Suma/blob/master/service/controllers/AdminController.php#L22-L43 https://github.com/suma-project/Suma/blob/master/service/controllers/BaseController.php#L22-L35 Basically, it compares the login and password to what's in the config file, and if it matches, it sets a PHP session and the corresponding browser cookie using the Zend_Auth library. If this were consistently failing, I'd say that somehow either the session isn't being stored or is expiring very quickly, the cookie is somehow being lost or is expiring very quickly, or some other strange thing is happening along those lines (maybe something with vhosts, cookies, and CORS? I really don't know). For example: https://community.auth0.com/t/sessions-expiring-too-quickly/10850/4 But since it is occasionally working...I'm out of ideas. Has it failed again since it started working for Sydney? Is it possible that one of those things you checked somehow fixed it? Thanks, Jason

…

On Fri, Oct 2, 2020 at 2:18 PM thisguyiknow ***@***.***> wrote: Sydney Thompson, who used your Suma software at NC State, had me install it to use here at CWU. After she logs into the Suma server admin, *any* link she clicks on next will send her back to the login page for the Suma server admin. (Examples: "Edit locations", "Edit initiatives", "Direct JSON Import". She experiences this issue when accessing from on-campus and at home via our campus VPN. I wasn't able to recreate her issue from home via VPN, but when I tried it on my work computer (via remote desktop) I experienced the same issue. Some things I tried or checked: - Checked Apache access and error logs for any PHP errors. Nothing relevant there. - Checked sumaserver.log for any indication of what the issue might be. I didn't see anything relevant there either. - Verified Apache settings. - Verified all config.yaml files. - Tried completely clear my web browser's cache / cookies. - Set SUMA_DEBUG variable to true. - Tried a different browser. Sydney JUST emailed me and now it's working for her at work and from home. Issue is annoyingly sporadic. Do you have any idea what else might cause this issue? Anything specific to check? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#142>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AACVIVNOJY4UKGF4SP4YLDTSIYKNTANCNFSM4SCAB2SQ> .

[cazzerson]

Closing due to inactivity.