Also, “Remember Me” should be checked by default. It’s what almost everyone wants. (Increasingly, services are even omitting the checkbox altogether and not offering expire-at-end-of-browser-session cookies.)

You can customize the amount of time the session is kept alive by setting the login_cookie_expire INI config option in config.ini.php, eg:

; for 30 days
[General]
login_cookie_expire = 2592000

; forever (technically not, cookies have to expire, so setting it to 10 years)
[General]
login_cookie_expire = 315360000

Is login_cookie_expire = 2592000 going to keep it alive for up to thirty days from login time, or from session-last-used time?

I expect “remember me” on a site to keep a session that I continue to use alive indefinitely. A session that I don’t use for a while, I’ll grudgingly allow it to expire.

I suggest that the defaults should be increased, and Remember Me checked by default.

From the login time.

Ever since upgrading to 3.6.0 Matomo keeps forgetting me on a daily basis, both on phone and PC.
It is really annoying, to say at least.

I see there were changes related to sessions / login, so this might be the cause of the issue.

@dev-101 Forgetting you after a day, after you close and re-open your browser or randomly while using the same browser?

Believe it or not, it happens sometimes during same browser session. I am still puzzled why.

@dev-101 Odd, the new session code will log you out if there is a change in user agent, but of course won't happen w/ the same browser (only if someone steals your session cookie and tries to use it in another browser). It's possible your server is deleting the session through session GC, but I can't see why it would happen otherwise. (Note: Matomo will use ini_set() to set session.gc_maxlifetime to the login cookie expire time).

On the same setup I run WordPress and no issues. I do use UA extension, but it is disabled by default, I'll verify later.

AFAIK wordpress doesn't use a real session, it uses cookies. (Though I'm no wordpress expert, so...)

I would say we can likely also remove the user agent comparison as it doesn't provide too much value in terms of security. Browsers are now updated to the latest version regularly and it doesn't take too much effort to "guess" the browser version. Also if an attacker gets the session id through XSS an attacker can easily get the user agent too. If the session id is stolen through HTTP sniffing, then the user agent will be available too (not through HTTPS though). It does provide little additional security, but not too much.

Everything was fine in 3.5.1
But server received regular maintenance etc. Not sure how much of it affects this.

Does Matomo have debug mode?

In 3.5.1 a cookie was used, but this was deemed insecure.

You can enable debug logging (see https://matomo.org/faq/troubleshooting/faq_115/), but I don't think that will give you any new information in this case. If you are being booted out at regular intervals (eg, say you find it's always 1 hour after you login that you're booted out), then it's probably session.gc_maxlifetime deleting the session (which would mean the ini_set() in Matomo isn't working on your system).

There are dozens of session files in piwik session dir, I doubt I'm being logged out because they are missing. Something else is going on here in my opinion.

Does frequent IP change now can cause this? I'm on move, plus I'm behind NAT at home. That's my suspect no.1

There was originally an IP check in the PR that moved to real sessions, but this was moved specifically to avoid this problem.

"moved" as in removed?

Yes, "removed", mistyped. Sorry for the confusion.

I'll reinstall 360 from scratch and see if that'll help fix weird stuff going on since the update.

Another fun fact: toggling back-and-forth Android Chrome browser's switch "request desktop site" logs you out immediately and requests another login.

Now, security on a side, how big companies like Google handle log-in procedure? I am virtually never logged-out. Yet, I doubt they have insecure login.

The request desktop site log out is likely due to the user agent check (which I'll remove). The other random log outs you're experiencing are due to something else.

Pretty sure google uses server backed sessions, but these sessions are not on your server, so of course whatever issue is affecting you would not affect your google sessions. Perhaps you can record the session ID before & after you randomly get logged out, and see if the files for those sessions still exist (as well as see what's in them)? Might be a long shot but you can also try applying this PR: #13391 . Would only affect you if something on your Matomo is regularly changing your user info.

Does Matomo still uses the same logic (cookie) for "ignore visits" functionality? (i don't really closely follow Matomo development, sorry).

I have coded a simple plugin to keep my ignore cookie auto set every time I login into Piwik/Matomo:
https://tehnoblog.org/piwik-analytics-auto-set-ignore-visits-cookie-plugin/

Could it be now cause of this trouble?

Yes, the cookie based "ignore visits" functionality shouldn't have changed. No that plugin shouldn't be causing this... Are you using any other plugins? You could try deactivating them and seeing if it has an effect. I would also apply #13391 just in case.

No, all other plugins are part of the Core, some of them are not active by default (Device Detector comes to mind, maybe that has changed and it's active now by default), so that's it (58 46 plugins active, 12 inactive). I've applied that patch now and will keep monitoring, thanks!

(still planning re-installation mentioned above, but if I can avoid it, it will be great)

I'm not sure re-installing would help here, I would suggest trying a fresh install on the same server (alongside the existing install) and seeing if it experiences the same issue. If so, then you'll know that re-installing won't solve the problem.

Will try both options, thank you!

I can confirm that situation has stabilized after applying above patch by @diosmosis.
Thank you!

fyi @mattab the original issue is here: #13327 (comment) and is a request to change "remember me" behavior.

@diosmosis could you please confirm the current behavior of Remember me feature:

1. does it create the cookie for 2 weeks from the initial login time, even when multiple logins?
2. or does it re-create the cookie (with 2 weeks expiry) each time someone logs in?

I have some new information: yesterday I used 'clear storage' option in Chrome > DevTools, and ever since that operation Matomo kept forgetting me on every browser restart. I tried it multiple times, it was repeatable, regardless of 'remember me' checkbox being checked every single time.

Then, today, finally out of ideas, I logged-in, then clicked on 'Exit' icon in Matomo, logged-in again, and that's how I finally got it to remember me.

During entire episode, I wasn't logged out from other devices, that part was OK. Nothing was changed in the environment, either.

@mattab If a user logs in w/ remember me, the expiration time does not change on each authenticated HTTP request. If a logged in user goes to the login screen manually (by typing in ?module=Login&action=index) and logs in again, the expiration time will change.

@dev-101 If you clear the cookies, the session won't persist since the session cookie will disappear.

I think it would be better if we automatically postpone by two weeks each time a remember-me user browses the UI, what do you think? @tsteur @diosmosis

I think it would be better if we automatically postpone by two weeks each time a remember-me user browses the UI, what do you think? @tsteur @diosmosis

👍 by two weeks, or four weeks or so. It shouldn't log me out after two weeks even when I used the product yesterday.

Will give it a shot, not sure how easy it will be to do.

@dev-101 If you clear the cookies, the session won't persist since the session cookie will disappear.

Yes, but I did that only once, and every next browser (re)start with fresh login should keep the new session?

Today I repeated the experiment, and it behaves exactly the same. Why clearing site data breaks 'remember me' functionality until I "exit" from Matomo and sign-in again? It doesn't make any sense to me :(

Point is, 'remember me' checkbox doesn't work in that case.

@dev-101 I'm not exactly sure I understand what you mean, but it sounds odd. Given this is something that affects one if they use the dev tools, I don't think it will be something that will be worked on immediately. Can you create a new issue for it?

1. Login to Matomo (in all instances 'remember me' option is checked w/o explicit notice)
2. Chrome > F12 > Application > clear storage
3. Close Chrome
4. Open Chrome
5. Try to access Matomo web page (any)
6. You will be asked to login again, do as step 1
7. Close Chrome
8. Open Chrome
9. At this point, we are looping ourselves in steps 5-8 every time we finish Chrome session; Matomo will forget us, despite 'remember me' option being set again and again (every time as noted in 1).

If you do not find this at least intriguing, then I am OK with it, too :)
Since this is directly related to 'remember me' feature, I don't think new issue is necessary.

Regards

It's certainly intriguing, but I might not have time to look into it before 3.6.1 is released.

No problem, that's ok with me, I'm in no hurry, as after applying your patch above things did get into normal. I just wish to help you get to the bottom of this, and provide you with hopefully useful findings during that process.

No worries @dev-101, thanks for going through the trouble of testing!

I would like to bring the comment up again from @chris-morgan

I suggest that the defaults should be increased

I also wish the default to be higher than 2 weeks. When I check the checkbox on other applications, like google, facebook and so on, I will stay logged in for 1 year. I would suggest to also raise the default timeout to 1 year. If you don't want to stay logged in for a longer time then don't check the checkbox and you will be logged in until the browser gets closed. For me this issue is the most annoying thing when I need to login over and over again even if i really want to stay logged in.

PS: Yes, I don't check the stats every 2 weeks to continue the session life time...

Sorry for resurrecting, but I am experiencing pretty much the same behaviour with my instance.
@dev-101 did it work in the end? And does it work now on your side?

Hi @andrelung
Have a look at #14075...