@chris-morgan opened this Issue on August 21st 2018

I expect “Remember Me” to keep my session alive at the very least until I have not used it for thirty days.

Instead, it looks like it produces a cookie which dies after two weeks? That’s super annoying.

Please let me stay logged in either indefinitely or at least until I haven’t used it for a month.

@chris-morgan commented on August 21st 2018

Also, “Remember Me” should be checked by default. It’s what almost everyone wants. (Increasingly, services are even omitting the checkbox altogether and not offering expire-at-end-of-browser-session cookies.)

@diosmosis commented on August 22nd 2018 Member

You can customize the amount of time the session is kept alive by setting the login_cookie_expire INI config option in config.ini.php, eg:

; for 30 days
[General]
login_cookie_expire = 2592000

; forever (technically not, cookies have to expire, so setting it to 10 years)
[General]
login_cookie_expire = 315360000
@chris-morgan commented on August 22nd 2018

Is login_cookie_expire = 2592000 going to keep it alive for up to thirty days from login time, or from session-last-used time?

I expect “remember me” on a site to keep a session that I continue to use alive indefinitely. A session that I don’t use for a while, I’ll grudgingly allow it to expire.

I suggest that the defaults should be increased, and Remember Me checked by default.

@diosmosis commented on August 22nd 2018 Member

From the login time.

@dev-101 commented on September 19th 2018

Ever since upgrading to 3.6.0 Matomo keeps forgetting me on a daily basis, both on phone and PC.
It is really annoying, to say at least.

I see there were changes related to sessions / login, so this might be the cause of the issue.

@diosmosis commented on September 19th 2018 Member

@dev-101 Forgetting you after a day, after you close and re-open your browser or randomly while using the same browser?

@dev-101 commented on September 19th 2018

Believe it or not, it happens sometimes during same browser session. I am still puzzled why.

@diosmosis commented on September 19th 2018 Member

@dev-101 Odd, the new session code will log you out if there is a change in user agent, but of course won't happen w/ the same browser (only if someone steals your session cookie and tries to use it in another browser). It's possible your server is deleting the session through session GC, but I can't see why it would happen otherwise. (Note: Matomo will use ini_set() to set session.gc_maxlifetime to the login cookie expire time).

@dev-101 commented on September 19th 2018

On the same setup I run WordPress and no issues. I do use UA extension, but it is disabled by default, I'll verify later.

@diosmosis commented on September 19th 2018 Member

AFAIK wordpress doesn't use a real session, it uses cookies. (Though I'm no wordpress expert, so...)

@tsteur commented on September 19th 2018 Member

I would say we can likely also remove the user agent comparison as it doesn't provide too much value in terms of security. Browsers are now updated to the latest version regularly and it doesn't take too much effort to "guess" the browser version. Also if an attacker gets the session id through XSS an attacker can easily get the user agent too. If the session id is stolen through HTTP sniffing, then the user agent will be available too (not through HTTPS though). It does provide little additional security, but not too much.

@dev-101 commented on September 19th 2018

Everything was fine in 3.5.1
But server received regular maintenance etc. Not sure how much of it affects this.

Does Matomo have debug mode?

@diosmosis commented on September 19th 2018 Member

In 3.5.1 a cookie was used, but this was deemed insecure.

You can enable debug logging (see https://matomo.org/faq/troubleshooting/faq_115/), but I don't think that will give you any new information in this case. If you are being booted out at regular intervals (eg, say you find it's always 1 hour after you login that you're booted out), then it's probably session.gc_maxlifetime deleting the session (which would mean the ini_set() in Matomo isn't working on your system).

@dev-101 commented on September 19th 2018

There are dozens of session files in piwik session dir, I doubt I'm being logged out because they are missing. Something else is going on here in my opinion.

Does frequent IP change now can cause this? I'm on move, plus I'm behind NAT at home. That's my suspect no.1

@diosmosis commented on September 19th 2018 Member

There was originally an IP check in the PR that moved to real sessions, but this was moved specifically to avoid this problem.

@dev-101 commented on September 19th 2018

"moved" as in removed?

@diosmosis commented on September 19th 2018 Member

Yes, "removed", mistyped. Sorry for the confusion.

@dev-101 commented on September 19th 2018

I'll reinstall 360 from scratch and see if that'll help fix weird stuff going on since the update.

@dev-101 commented on September 21st 2018

Another fun fact: toggling back-and-forth Android Chrome browser's switch "request desktop site" logs you out immediately and requests another login.

Now, security on a side, how big companies like Google handle log-in procedure? I am virtually never logged-out. Yet, I doubt they have insecure login.

@diosmosis commented on September 21st 2018 Member

The request desktop site log out is likely due to the user agent check (which I'll remove). The other random log outs you're experiencing are due to something else.

Pretty sure google uses server backed sessions, but these sessions are not on your server, so of course whatever issue is affecting you would not affect your google sessions. Perhaps you can record the session ID before & after you randomly get logged out, and see if the files for those sessions still exist (as well as see what's in them)? Might be a long shot but you can also try applying this PR: https://github.com/matomo-org/matomo/pull/13391 . Would only affect you if something on your Matomo is regularly changing your user info.

@dev-101 commented on September 21st 2018

Does Matomo still uses the same logic (cookie) for "ignore visits" functionality? (i don't really closely follow Matomo development, sorry).

I have coded a simple plugin to keep my ignore cookie auto set every time I login into Piwik/Matomo:
https://tehnoblog.org/piwik-analytics-auto-set-ignore-visits-cookie-plugin/

Could it be now cause of this trouble?

@diosmosis commented on September 21st 2018 Member

Yes, the cookie based "ignore visits" functionality shouldn't have changed. No that plugin shouldn't be causing this... Are you using any other plugins? You could try deactivating them and seeing if it has an effect. I would also apply #13391 just in case.

@dev-101 commented on September 21st 2018

No, all other plugins are part of the Core, some of them are not active by default (Device Detector comes to mind, maybe that has changed and it's active now by default), so that's it (58 46 plugins active, 12 inactive). I've applied that patch now and will keep monitoring, thanks!

(still planning re-installation mentioned above, but if I can avoid it, it will be great)

@diosmosis commented on September 21st 2018 Member

I'm not sure re-installing would help here, I would suggest trying a fresh install on the same server (alongside the existing install) and seeing if it experiences the same issue. If so, then you'll know that re-installing won't solve the problem.

@dev-101 commented on September 21st 2018

Will try both options, thank you!

@dev-101 commented on October 5th 2018

I can confirm that situation has stabilized after applying above patch by @diosmosis.
Thank you!

@diosmosis commented on October 5th 2018 Member

fyi @mattab the original issue is here: https://github.com/matomo-org/matomo/issues/13327#issuecomment-414875634 and is a request to change "remember me" behavior.

@mattab commented on October 7th 2018 Member

@diosmosis could you please confirm the current behavior of Remember me feature:

  1. does it create the cookie for 2 weeks from the initial login time, even when multiple logins?
  2. or does it re-create the cookie (with 2 weeks expiry) each time someone logs in?
@dev-101 commented on October 7th 2018

I have some new information: yesterday I used 'clear storage' option in Chrome > DevTools, and ever since that operation Matomo kept forgetting me on every browser restart. I tried it multiple times, it was repeatable, regardless of 'remember me' checkbox being checked every single time.

Then, today, finally out of ideas, I logged-in, then clicked on 'Exit' icon in Matomo, logged-in again, and that's how I finally got it to remember me.

During entire episode, I wasn't logged out from other devices, that part was OK. Nothing was changed in the environment, either.

@diosmosis commented on October 7th 2018 Member

@mattab If a user logs in w/ remember me, the expiration time does not change on each authenticated HTTP request. If a logged in user goes to the login screen manually (by typing in ?module=Login&action=index) and logs in again, the expiration time will change.

@dev-101 If you clear the cookies, the session won't persist since the session cookie will disappear.

@mattab commented on October 8th 2018 Member

I think it would be better if we automatically postpone by two weeks each time a remember-me user browses the UI, what do you think? @tsteur @diosmosis

@tsteur commented on October 8th 2018 Member

I think it would be better if we automatically postpone by two weeks each time a remember-me user browses the UI, what do you think? @tsteur @diosmosis

👍 by two weeks, or four weeks or so. It shouldn't log me out after two weeks even when I used the product yesterday.

@diosmosis commented on October 8th 2018 Member

Will give it a shot, not sure how easy it will be to do.

@dev-101 commented on October 8th 2018

@dev-101 If you clear the cookies, the session won't persist since the session cookie will disappear.

Yes, but I did that only once, and every next browser (re)start with fresh login should keep the new session?

Today I repeated the experiment, and it behaves exactly the same. Why clearing site data breaks 'remember me' functionality until I "exit" from Matomo and sing-in again? It doesn't make any sense to me :(

Point is, 'remember me' checkbox doesn't work in that case.

@diosmosis commented on October 8th 2018 Member

@dev-101 I'm not exactly sure I understand what you mean, but it sounds odd. Given this is something that affects one if they use the dev tools, I don't think it will be something that will be worked on immediately. Can you create a new issue for it?

@dev-101 commented on October 8th 2018
  1. Login to Matomo (in all instances 'remember me' option is checked w/o explicit notice)
  2. Chrome > F12 > Application > clear storage
  3. Close Chrome
  4. Open Chrome
  5. Try to access Matomo web page (any)
  6. You will be asked to login again, do as step 1
  7. Close Chrome
  8. Open Chrome
  9. At this point, we are looping ourselves in steps 5-8 every time we finish Chrome session; Matomo will forget us, despite 'remember me' option being set again and again (every time as noted in 1).

If you do not find this at least intriguing, then I am OK with it, too :)
Since this is directly related to 'remember me' feature, I don't think new issue is necessary.

Regards

@diosmosis commented on October 8th 2018 Member

It's certainly intriguing, but I might not have time to look into it before 3.6.1 is released.

@dev-101 commented on October 8th 2018

No problem, that's ok with me, I'm in no hurry, as after applying your patch above things did get into normal. I just wish to help you get to the bottom of this, and provide you with hopefully useful findings during that process.

@diosmosis commented on October 9th 2018 Member

No worries @dev-101, thanks for going through the trouble of testing!

This Issue was closed on November 4th 2018
Powered by GitHub Issue Mirror