Solved Why does the "remember me" box not work as expected on my website?

I'm somewhat new to this website admin thing, and although I understand what cookies are and what sessions are, I'm not sure how to properly implement them, so I haven't made any changes to the default settings.

What I want in a final solution is an experience like that here at kunena.org. When I come back 24 hours from now, and click on something, I don't have to re-logon. I believe that my session has expired, but that there is a cookie on my computer because I have ticked the "remember me" box upon logon many sessions ago.

On my setup, ticking this button has no effect. Any idle over 20 minutes or so results in the user needed to re-logon.

I have a fairly new install of Joomla/Kunena (3.2.1 and 3.0.4 respectively), and I have NOT configured the cookie settings in the global Joomla configuration. Mostly because I'm not sure what to put in there.

Joomla is currently installed at the root directory of my appache web server's www directory. There are other web deamons (tomcat) running on this same server at different parts of the file system. The joomla website is called through a port 82 redirect: www.fseconomy.net:82

In my global configuration, both of the cookie boxes are empty (cookie domain and cookie path), and the session is set to 20 minutes with Database as the handler (only option).

Is this enough information to explain how to implement my settings? Do I need to do anything at the file system level? Do I just need to plug in the above URL (with the :82) into the domain box, and a / into the path box and call it good?

Thanks for any insight.
jim

jimrowland wrote: I'm somewhat new to this website admin thing, and although I understand what cookies are and what sessions are, I'm not sure how to properly implement them ...

I won't attempt a long-winded dissertation about sessions and cookies - there are plenty of resources on the Internet that explain those things - but, in Joomla terms, I think your question boils down to:

jimrowland wrote: I want ... that ... when I come back 24 hours from now, and click on something, I don't have to re-logon.

Leaving out any discussion about whether it's desirable (or appropriate) to allow a session length of 24 hours, please see msg #4 in the topic Login / Logout problems . Even though I wrote that advice for a much older version of Kunena (and Joomla), the basic principles remain the same. I hope it helps.

Thanks for ther reply sozzled. regarding the dissertaion on long sessions lenghts, I agree that it's not desirable nor appropriate. I think 20 to 30 minutes is just fine. Your numbers in post #4 of that thread match the numbers on my site, so that's good.

I might be missing something in my translation from human speak to geek speak, so let me use this example:

I have an account here on the Kunena forums. I have a PC that is on 24/7 and a web browser that is open 24/7 on that computer, and most of the tabs don't get closed if I'm going to freqeunt the site in that tab.

Sooo... since I've been learning about Joomla and Kunena lately, the two tabs with these sites have been open on an un-rebooted computer for nearly a month now.

I was browsing around the Kunena forums on Tuesday, but I did not use the computer on wednesday at all. Now, here it is on Thursday, nearly 48 hours after my last action on the kunena.org website. When I switch to the tab containing the Kunena site, and click on something (in this case, I clicked on "My Topics".... I did not have to log in.

Now, I understand that the session length on this site is NOT 48 hours, and that my session on this server expired 47+ hours ago. However... I didn't have to go through the log-in process in order to use the website, and start this thread.

I *think* that has to do with cookies and the "remember me" option in the logon box... not sessions.

I want to replicate this Kunena experince on my site. Is that cookies?

Thanks,
Jim


p.s. I know that asking unrelated questions in any given topic is not propper form... but I noticed that you have 20,000+ posts. I'm wondering what you see when you click on "My Topics"? I'm assuming that you would have hundreds upon hundreds of "pages" of topics... is there an easy way to use that "my topics" feature with so many posts?

Even though it may be "desirable" to save some time by not having to login to your site in order to engage in the forum, from a security perspective it is not recommended that you should allow the session times to have such an extended - almost open-ended length - that completely eliminates the need login occasionally. Joomla sessions are tricky enough to juggle (and there's no clear agreement from the whole Joomla community as to what is an "appropriate" setting for Joomla session times) but the key point I want to make is that it's a good practice to follow that you set the Kunena session time to be the same value as what you set your Joomla session time. That's the practice that's used here at this website.

I will be entirely honest with you and confess that I don't fully understand the usefulness of the "Remember me" checkbox - I rarely use this myself and most modern browsers these days incorporate features that allow you to remember your login credentials; I believe it creates a permanent cookie on your PC. As you probably know, cookies - in a general sense - are determined by (a) the site that writes them and (b) the web agent that is used to acccess that site and (c) whether your browser allows the use of cookies. Therefore, if you access a site with Internet Explorer (for example) a cookie is stored with other IE cookies; but if you subsequently access the same site with a different browser, the different browser has no knowledge of IE's cookies.

There's also the difference between session cookies and permanent cookies.

Sessions are timed-out after a certain length of time - the time is determined by the Joomla session length - unless there's some "keepalive" activity (e.g. refreshing a page view). There's a whole other debate about the use of keepalive tools (and questions about the ethics of using such tools) - and I'm not going to engage in that discussion here - but it's also entirely possible that something "unintentional" may keep a session alive and this could explain why, 48 hours after last visiting a site, you seem to be able to pick up again after your session should otherwise have timed out and you should have been logged out.

I can assure you that the session length at this website is nowhere near as long as 48 hours.

Technicalities aside (and we could spend forever discussing them), the Joomla session length is a time defined in minutes. On a stock-standard, "vanilla flavoured" out-of-the-box J! 3.2 site, these are the settings:



The Kunena session legnth is a time defined in seconds. Likewise, on a "vanilla flavouored", out-of-the-box Kunena installation, the settings are:



As you can see, the Kunena session length of 1800 seconds (30 minutes) is not the same as Joomla session length but, for most purposes, this should not have an impact. To keep things "simple" I would advise that you define these settings with the same equivalent value. I have written about this subject many times before on the forum; Login / Logout problem is one such topic.

In relation to your other off-topic query, I think it's better if you create a new topic to follow up on it and we can give your other, unrelated, question the attention it deserves there. Thanks.

Thanks, sozzled.

it's also entirely possible that something "unintentional" may keep a session alive and this could explain why, 48 hours after last visiting a site, you seem to be able to pick up again after your session should otherwise have timed out and you should have been logged out.

I understand the idea of sessions, and I fully believe that my session here at kunena.org DID time out, probably after 20 or 30 minutes of inactivity (assuming that's what the settings are here). What this means to others is that the "now online" button over in my profile box switched to "offline". My session was no longer valid. I get that.

However... what I'm still trying to figure out is... why do I not have to "log on" again? And how can I make my site do this? And it's not just Kunena.org... this has been my experience with 99% of the sites I visit on the internet, with 99% of the browsers I've ever used. To me, this experience of not having to type my name and password is the norm... as long as I've previously visited that particular site using this particular browser on this specific computer... unless there is a security reason to not allow it, such as banking sites.

Yes, it is something in the browser (I suspect cookies) that sends authentication to the server to establish a new session on behalf of the user. It is NOT the session staying alive that gives me this experience.

Just as a test... last night, I powered off my desktop computer (running Ubuntu+Firefox) as well as my laptop (Win8+Chrome). This evening, when I got home, I powered both of them back up, restarted my browser on each, and went to kunena.org on each. In neither case did I have to type in a username and password. In both cases, when I clicked on "Forum" from the main page, the top of the forums page gave me the familiar "Welcome, jimrowland" message. No login, no extended session, and no clue how to make this happen on my site... the only site in the world that I currently cannot experience this with. (ok, that was a little exaggeration) :^)

But... after powering up my computers, I went to several other sites... joomopolis, joomla.org, etc... and at none of those sites did I have to "log in". They all greeted me with the same "Welcome jimrowland" message at the top.

I have no explanation for this. Without divulging sensitive information about this website, the Joomla session length is longer than 30 minutes and less than 24 hours. Likewise, it is strange that the other Joomla sites you mentioned also seem to have your sessions kept alive long after they should have terminated.

I accept, of course, that you are absolutely certain that you were logged-in (i.e. you refreshed your page) and you were able to continue interacting with those sites - as a logged-in user - hours (or days) after you should have been logged-out ... as if nothing had otherwise intervened. :side: I have no explanation for that.

What we have experienced on this site is the unusual behaviour of some rogue webagents that apparently "poll" a page (i.e. they refresh it dozens of times per minute) and you can see that in the page views. Some topics have mysteriously unaccountable high page views. For example, this topic (that you created) has received 30,000+ page views and yet it has just been you and me who have been engaged in this discussion. I have asked the other developers to investigate why some topics get abnormally high page views and other topics get more "normal" ones. My guess is that some web agents employ rogue activities to hit the target sites - thereby causing server traffic congestion (with the resulting DoS) - but I don't have any other explanation for it.

In other words, it possible (or probable) that some browsers have become infected with software viruses that keep "refreshing" the pages they visit in a way that is unknown to those who use them. That's the only other conclusion I can draw.

In order for a user to remain logged-in to a Joomla site, one of two things must occur:

(a) the user's web-agent (i.e. browser) must refresh a page on that site before Joomla session length expiry has been reached; or

(b) the Joomla server handler on the server must be broken and the server may need to be restarted.

sozzled wrote: I have no explanation for this.

I believe the explanation is "permanent cookies", not "sessions" or "session cookies".

Without divulging sensitive information about this website, the Joomla session length is longer than 30 minutes and less than 24 hours.

Sure, and I don't want that info... nor do I think the session is relevant.

Likewise, it is strange that the other Joomla sites you mentioned also seem to have your sessions kept alive long after they should have terminated.

I do not think that the "session is kept alive"... I think that a permanent cookie on my hard drive is created that allows me to do this. Again, this is my "expected result" on hundreds of web sites... and it works on all of those websites, except mine.

In order to "prove to myself" that I was, indeed, "logged out" of the Kunena.org site, and that the session had expired, I used my wife's iphone to browse to this site. A completely new device that had never been on this site. I navigated to this thread (without logging in) and saw the "Offline" tag over there in my profile box. --->

This conclusively proves that my session cookie had expired, and I was indeed "logged out". At that point, I went back over to my laptop and refreshed the kunena.org page I was on, and I was "logged in" to a brand new sessionID, without the intermediate step of having to use the username/password box. Went back to my wife's phone, and refreshed the page... sure enough, the button said "Now Online". (I'm still in a "guest" status on the phone)

In order for a user to remain logged-in to a Joomla site, one of two things must occur:

(a) the user's web-agent (i.e. browser) must refresh a page on that site before Joomla session length expiry has been reached; or

(b) the Joomla server handler on the server must be broken and the server may need to be restarted.

The word "remain" is deceptive. I do not think I am "remaining" logged in. I think that I have a permanent cookie on my hard drive that "lets me back in".

What I don't know is how to set this up on my server. Just as a test, I tried to type in a dot and a slash into the cookies boxes on my Joomla Global Config page.
Domain = .
Path = /

This had a negative result in that users were no longer able to log in at all. They went to the page, typed in username and password, and when they clicked "enter", the page simply refreshed and they were still at the login dialog box.

I have an odd set up (described in the OP), with my server running two different webservers, and redirecting port:82 requests to the Apache server / Joomla site. I don't know if my issues are because of this, or if there is a different way to set up cookies in this scenario.

If you would like to discuss this further with me (offline from the forum) and you have the time, contact me by email and we will arrange to chat via Skype.

Per the discussion in the other thread, I did send an email to the address listed on the team page... this is a copy from the email headers... perhaps it went to the junk bin? My skype address is the one listed in the from address here, not my address I registered with on the kunena site. I'll be available most of the day if you would like to contact me, starting about 1 hour from now for a 6 hour window.

I'd like to report my findings and wrap up this topic. Since it's not in the support request category, it doesn't really need to be marked as "resolved", but since others might see this when searching for similar problems, I will post what I know.

The entire original post could probably have been asked better: "Why does the "remember me" box not work as expected?" That probably would have been a simpler question that was less vague and more to the point, and therefore less confusing. :^)

The expected result, when checking this box upon logon, is that the next time you visit the website, you will not have to walk through the logon process. I was not getting this result. But I've since discovered why.

What SHOULD happen, when checking this box, is that a persistent cookie should be written to your computer's hard drive, in whatever location your particular browser is set to store such cookies, assuming that you've not configured your browser to not accept cookies. From that point, if you ever re-visit the website at after your session has expired, then your browser will pass your user authentication to the server in the background, using the information in that cookie. Assuming that you're within the required window (60 days by default) and that your user information has not been changed on the server (i.e. you changed your password using another browser, or the admins locked your account, etc.), the user experience should be that no logon process occurred using the logon form. The user is just "automagically" logged on.

Anyone with a Joomla + Kunena website will know that there are at least two logon modules - the joomla logon module, and the kunena logon module. I haven't read through the scripting code to know exactly how each one works, or from exactly which part of the resulting HTML was generating the cookie, but here is what I eventually discovered:

1. If I logon through the Joomla login module, I would get the proper cookie. I could return to the site, at any page, at any time (within 60 days), and resume what I was doing without having to re-logon.

2. If I logon through the Kunena login module, I would still get a proper cookie, but the cookie path was set to the Kunena component (with a path of /forum in my case). What this means is that if I return to the website at any time (within 60 days) and access a page within the forums, then I would still be "logged in" (i.e. my cookie would re-authenticate me without direct action on my part).
..... HOWEVER .....
Since the path inside my cookie was written as /forum, because I originally logged in using the kunena login module, if I went back to the website by visiting any page NOT within this path (such as the home page), then the cookie would NOT re-authenticate me because I was not accessing a page within the path authorized to the cookie. Therefore, I would see a "welcome guest" text, and a logon dialog box.

In both of the above scenarios, the "Cookie Settings" in my Joomla global configuration settings was blank. Normally, this is ok. But in this case, (I hypothesize that) the blank setting allowed the Kunena logon module to write the cookie from the Kunena point of view, which is /forum. By changing the Joomla setting and inserting a "/" into the "Path" box, this forced the Kunena logon module to pass a "root path" ("/") inside the cookie, if the user was logging in through the Kunena module.

============
The end result is that putting a / in the "cookie path" global settigns box solved my problem, and now all cookies written from any login module will allow the cookie to re-authenticate the user when the user re-visits the website by landing on any page.