Solved Why does the "remember me" box not work as expected on my website?

I'm somewhat new to this website admin thing, and although I understand what cookies are and what sessions are, I'm not sure how to properly implement them, so I haven't made any changes to the default settings.

What I want in a final solution is an experience like that here at kunena.org. When I come back 24 hours from now, and click on something, I don't have to re-logon. I believe that my session has expired, but that there is a cookie on my computer because I have ticked the "remember me" box upon logon many sessions ago.

On my setup, ticking this button has no effect. Any idle over 20 minutes or so results in the user needed to re-logon.

I have a fairly new install of Joomla/Kunena (3.2.1 and 3.0.4 respectively), and I have NOT configured the cookie settings in the global Joomla configuration. Mostly because I'm not sure what to put in there.

Joomla is currently installed at the root directory of my appache web server's www directory. There are other web deamons (tomcat) running on this same server at different parts of the file system. The joomla website is called through a port 82 redirect: www.fseconomy.net:82

In my global configuration, both of the cookie boxes are empty (cookie domain and cookie path), and the session is set to 20 minutes with Database as the handler (only option).

Is this enough information to explain how to implement my settings? Do I need to do anything at the file system level? Do I just need to plug in the above URL (with the :82) into the domain box, and a / into the path box and call it good?

Thanks for any insight.
jim

jimrowland wrote: I'm somewhat new to this website admin thing, and although I understand what cookies are and what sessions are, I'm not sure how to properly implement them ...

I won't attempt a long-winded dissertation about sessions and cookies - there are plenty of resources on the Internet that explain those things - but, in Joomla terms, I think your question boils down to:

jimrowland wrote: I want ... that ... when I come back 24 hours from now, and click on something, I don't have to re-logon.

Leaving out any discussion about whether it's desirable (or appropriate) to allow a session length of 24 hours, please see msg #4 in the topic Login / Logout problems . Even though I wrote that advice for a much older version of Kunena (and Joomla), the basic principles remain the same. I hope it helps.

Thanks for ther reply sozzled. regarding the dissertaion on long sessions lenghts, I agree that it's not desirable nor appropriate. I think 20 to 30 minutes is just fine. Your numbers in post #4 of that thread match the numbers on my site, so that's good.

I might be missing something in my translation from human speak to geek speak, so let me use this example:

I have an account here on the Kunena forums. I have a PC that is on 24/7 and a web browser that is open 24/7 on that computer, and most of the tabs don't get closed if I'm going to freqeunt the site in that tab.

Sooo... since I've been learning about Joomla and Kunena lately, the two tabs with these sites have been open on an un-rebooted computer for nearly a month now.

I was browsing around the Kunena forums on Tuesday, but I did not use the computer on wednesday at all. Now, here it is on Thursday, nearly 48 hours after my last action on the kunena.org website. When I switch to the tab containing the Kunena site, and click on something (in this case, I clicked on "My Topics".... I did not have to log in.

Now, I understand that the session length on this site is NOT 48 hours, and that my session on this server expired 47+ hours ago. However... I didn't have to go through the log-in process in order to use the website, and start this thread.

I *think* that has to do with cookies and the "remember me" option in the logon box... not sessions.

I want to replicate this Kunena experince on my site. Is that cookies?

Thanks,
Jim


p.s. I know that asking unrelated questions in any given topic is not propper form... but I noticed that you have 20,000+ posts. I'm wondering what you see when you click on "My Topics"? I'm assuming that you would have hundreds upon hundreds of "pages" of topics... is there an easy way to use that "my topics" feature with so many posts?

Even though it may be "desirable" to save some time by not having to login to your site in order to engage in the forum, from a security perspective it is not recommended that you should allow the session times to have such an extended - almost open-ended length - that completely eliminates the need login occasionally. Joomla sessions are tricky enough to juggle (and there's no clear agreement from the whole Joomla community as to what is an "appropriate" setting for Joomla session times) but the key point I want to make is that it's a good practice to follow that you set the Kunena session time to be the same value as what you set your Joomla session time. That's the practice that's used here at this website.

I will be entirely honest with you and confess that I don't fully understand the usefulness of the "Remember me" checkbox - I rarely use this myself and most modern browsers these days incorporate features that allow you to remember your login credentials; I believe it creates a permanent cookie on your PC. As you probably know, cookies - in a general sense - are determined by (a) the site that writes them and (b) the web agent that is used to acccess that site and (c) whether your browser allows the use of cookies. Therefore, if you access a site with Internet Explorer (for example) a cookie is stored with other IE cookies; but if you subsequently access the same site with a different browser, the different browser has no knowledge of IE's cookies.

There's also the difference between session cookies and permanent cookies.

Sessions are timed-out after a certain length of time - the time is determined by the Joomla session length - unless there's some "keepalive" activity (e.g. refreshing a page view). There's a whole other debate about the use of keepalive tools (and questions about the ethics of using such tools) - and I'm not going to engage in that discussion here - but it's also entirely possible that something "unintentional" may keep a session alive and this could explain why, 48 hours after last visiting a site, you seem to be able to pick up again after your session should otherwise have timed out and you should have been logged out.

I can assure you that the session length at this website is nowhere near as long as 48 hours.

Technicalities aside (and we could spend forever discussing them), the Joomla session length is a time defined in minutes. On a stock-standard, "vanilla flavoured" out-of-the-box J! 3.2 site, these are the settings:



The Kunena session legnth is a time defined in seconds. Likewise, on a "vanilla flavouored", out-of-the-box Kunena installation, the settings are:



As you can see, the Kunena session length of 1800 seconds (30 minutes) is not the same as Joomla session length but, for most purposes, this should not have an impact. To keep things "simple" I would advise that you define these settings with the same equivalent value. I have written about this subject many times before on the forum; Login / Logout problem is one such topic.

In relation to your other off-topic query, I think it's better if you create a new topic to follow up on it and we can give your other, unrelated, question the attention it deserves there. Thanks.

Thanks, sozzled.

it's also entirely possible that something "unintentional" may keep a session alive and this could explain why, 48 hours after last visiting a site, you seem to be able to pick up again after your session should otherwise have timed out and you should have been logged out.

I understand the idea of sessions, and I fully believe that my session here at kunena.org DID time out, probably after 20 or 30 minutes of inactivity (assuming that's what the settings are here). What this means to others is that the "now online" button over in my profile box switched to "offline". My session was no longer valid. I get that.

However... what I'm still trying to figure out is... why do I not have to "log on" again? And how can I make my site do this? And it's not just Kunena.org... this has been my experience with 99% of the sites I visit on the internet, with 99% of the browsers I've ever used. To me, this experience of not having to type my name and password is the norm... as long as I've previously visited that particular site using this particular browser on this specific computer... unless there is a security reason to not allow it, such as banking sites.

Yes, it is something in the browser (I suspect cookies) that sends authentication to the server to establish a new session on behalf of the user. It is NOT the session staying alive that gives me this experience.

Just as a test... last night, I powered off my desktop computer (running Ubuntu+Firefox) as well as my laptop (Win8+Chrome). This evening, when I got home, I powered both of them back up, restarted my browser on each, and went to kunena.org on each. In neither case did I have to type in a username and password. In both cases, when I clicked on "Forum" from the main page, the top of the forums page gave me the familiar "Welcome, jimrowland" message. No login, no extended session, and no clue how to make this happen on my site... the only site in the world that I currently cannot experience this with. (ok, that was a little exaggeration) :^)

But... after powering up my computers, I went to several other sites... joomopolis, joomla.org, etc... and at none of those sites did I have to "log in". They all greeted me with the same "Welcome jimrowland" message at the top.

I have no explanation for this. Without divulging sensitive information about this website, the Joomla session length is longer than 30 minutes and less than 24 hours. Likewise, it is strange that the other Joomla sites you mentioned also seem to have your sessions kept alive long after they should have terminated.

I accept, of course, that you are absolutely certain that you were logged-in (i.e. you refreshed your page) and you were able to continue interacting with those sites - as a logged-in user - hours (or days) after you should have been logged-out ... as if nothing had otherwise intervened. :side: I have no explanation for that.

What we have experienced on this site is the unusual behaviour of some rogue webagents that apparently "poll" a page (i.e. they refresh it dozens of times per minute) and you can see that in the page views. Some topics have mysteriously unaccountable high page views. For example, this topic (that you created) has received 30,000+ page views and yet it has just been you and me who have been engaged in this discussion. I have asked the other developers to investigate why some topics get abnormally high page views and other topics get more "normal" ones. My guess is that some web agents employ rogue activities to hit the target sites - thereby causing server traffic congestion (with the resulting DoS) - but I don't have any other explanation for it.

In other words, it possible (or probable) that some browsers have become infected with software viruses that keep "refreshing" the pages they visit in a way that is unknown to those who use them. That's the only other conclusion I can draw.

In order for a user to remain logged-in to a Joomla site, one of two things must occur:

(a) the user's web-agent (i.e. browser) must refresh a page on that site before Joomla session length expiry has been reached; or

(b) the Joomla server handler on the server must be broken and the server may need to be restarted.