Loss of logged in session on particular network
Permalink
We are going to be giving a demo to a school board on the ease of use of Concrete5. The problem is when we are in the school boards network Concrete5 will not maintain a logged in session. We login to the site and then any action we take i.e. trying to look at the dashboard, trying to edit a page etc. results in an access denied error and the loss of the logged in session.
We have tried several live C5 sites that we host including versions 5.6 and 5.7 and they all behave the same way. We have tried it on different machines and tried it with and without SSL certificates and with sites being served from different servers. Nothing seems to work. This is obviously some kind of problem with the school board network that doesn't agree with the C5 login process. Other CMSs work as we tried a Drupal site with no issues.
We are out of ideas as to what could cause this. What part of the login process could be broken by something within a particular network. The sites work fine everywhere else but not a single C5 site will stay logged in while using their network wifi. We have been using C5 for a while now and never come across this before so we're scratching our heads!
We have tried several live C5 sites that we host including versions 5.6 and 5.7 and they all behave the same way. We have tried it on different machines and tried it with and without SSL certificates and with sites being served from different servers. Nothing seems to work. This is obviously some kind of problem with the school board network that doesn't agree with the C5 login process. Other CMSs work as we tried a Drupal site with no issues.
We are out of ideas as to what could cause this. What part of the login process could be broken by something within a particular network. The sites work fine everywhere else but not a single C5 site will stay logged in while using their network wifi. We have been using C5 for a while now and never come across this before so we're scratching our heads!
Does their network use any kind of load balancing? If you access the site from a different IP address your session will be dropped.
I'm not sure. I'd have to find out. If this was the case though is there any way around it? They would need to be able to login to the site from within their network.
You pointed me in the right direction it sounds quite likely that this is the problem. I have found this which could work.
https://documentation.concrete5.org/tutorials/enable-database-based-... I'll try this and report back
https://documentation.concrete5.org/tutorials/enable-database-based-... I'll try this and report back
Hi Blueprint,
Does the school network use a proxy or are you connecting to your site through a VPN?
I may have encountered something similar, so here is something to investigate:
"You may be having issues with "session fixation". Session fixation is a security protection to make sure you have the same IP for your entire session. It prevents someone from hijacking your session using a man in the middle attack.
Your VPN connection might be switching between IPs and invalidating your session.
One approach to address this is setting a config value to disable the security protection:
1. open concrete.php or create the file if it does not exist
application\config\concrete.php
2. if the file is empty, add the following code
The default for invalidate_on_ip_mismatch is true."
Does the school network use a proxy or are you connecting to your site through a VPN?
I may have encountered something similar, so here is something to investigate:
"You may be having issues with "session fixation". Session fixation is a security protection to make sure you have the same IP for your entire session. It prevents someone from hijacking your session using a man in the middle attack.
Your VPN connection might be switching between IPs and invalidating your session.
One approach to address this is setting a config value to disable the security protection:
1. open concrete.php or create the file if it does not exist
application\config\concrete.php
2. if the file is empty, add the following code
The default for invalidate_on_ip_mismatch is true."
Thanks for the help on this. It pointed us in the right direction. It turns out that when the traffic was going out of the sonic wall it was using more than one IP. The school have fixed this their end but I think using the config option to store the session in the database would have done the trick too.