Hi, We have an issue where one admin accounts get auto logged out when the page is idle for 15 seconds or so.
For example, I try to create a lead, in the time it takes to complete the fields, you click submit and the page says “You have been logged out because your session has expired.”
We have two admin accounts on our SuiteCRM and it seems that one does it more often than the other but it is a constant problem for both. Does anyone know how I can fix this?
Many thanks for your help.
pgr
18 June 2021 13:11
#2
You can start by checking if your server disk is full.
Then go in SuiteCRM, Admin / Diagnostics / phpinfo, and find out your session.save_path directory.
Then check if that directory is either
non-existent
full of thousands of files
non-writable
Hi, Thanks for your message and sorry for delayed response.
If by server disk you mean web server, I am sure it is not full.
I tried going to your location detailed above but I am not sure what to do. Can you please provide a more indepth explanation?
Please see screenshots below of where I went into:
pgr
30 June 2021 11:17
#4
Unselect all those check boxes except the one saying Output from phpinfo .
Click the button to download the zip, unzip it, then open the resulting HTML file in a browser, and check what it says about session.save_path
Find that directory on your server and examine it.
Thanks for the prompt reply.
There are two columns showing file location - would this be the local value?
Local Value= sessions/
Master Value= /opt/alt/php72/var/lib/php/session
If it is the following sessions/ folder I have 4 files in there which i have downloaded… but i am not sure what to do now.
Further so, my web host suggested to try the following:
Admin>System Settings>Advanced>Validate user IP address: TURN OFF
And it seems to have resolved the issue for now… it doesn’t seem to be logging out constantly.
Would you say this is a practical solution for the above?
pgr
30 June 2021 17:40
#8
If that workaround solves it, then I would say your problem is not related to session.save_path.
Check your values in config.php:
make sure they match your actual site address. I am not sure if this is related to that option you changed, but I am guessing it might…
I have checked the config.php and the details you mentioned are as follows:
'db_host_name' => 'localhost',
‘site_url’ => THIS IS SHOWING THE CORRECT URL BUT I HAVE NOT POSTED FOR CONFIDENTIAL PURPOSES
“I am not sure if this is related to that option you changed, but I am guessing it might…”
Do you mean the option I changed may have fixed this in the config.php?
After further testing, i do not get logged out after changing this setting:
Admin>System Settings>Advanced>Validate user IP address: TURN OFF
pgr
1 July 2021 10:46
#10
Note that db_host_name is not the same key as host_name .
Your work-around setting is used here:
} unset($_SESSION['factor_message']); } return $factorMessage; } /** * Make sure a user isn't stealing sessions so check the ip to ensure that the ip address hasn't dramatically changed * */ public function validateIP() { global $sugar_config; // grab client ip address $clientIP = query_client_ip(); $classCheck = 0; // check to see if config entry is present, if not, verify client ip if (!isset($sugar_config['verify_client_ip']) || $sugar_config['verify_client_ip'] == true) { // check to see if we've got a current ip address in $_SESSION // and check to see if the session has been hijacked by a foreign ip if (isset($_SESSION["ipaddress"])) {
which calls this function
return $allowed; } function get_user_disallowed_modules($user_id, &$allowed) { $role = BeanFactory::newBean('Roles'); $disallowed = $role->query_user_disallowed_modules($user_id, $allowed); return $disallowed; } // grabs client ip address and returns its value function query_client_ip() { if (!empty($GLOBALS['sugar_config']['ip_variable']) && !empty($_SERVER[$GLOBALS['sugar_config']['ip_variable']])) { return $_SERVER[$GLOBALS['sugar_config']['ip_variable']]; } elseif (isset($_SERVER['HTTP_CLIENT_IP'])) { return $_SERVER['HTTP_CLIENT_IP']; } elseif (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { return $_SERVER['HTTP_X_FORWARDED_FOR']; } elseif (isset($_SERVER['HTTP_X_FORWARDED'])) { return $_SERVER['HTTP_X_FORWARDED']; } elseif (isset($_SERVER['HTTP_FORWARDED_FOR'])) {
Having seen that, I don’t think it is related to site_url or host_name. Sorry for misleading you.
Maybe that code can give you some clues about why you’re getting that error in the first place. But at this point I am running out of ideas.
We are having no issues at all since doing the following setting:
Admin>System Settings>Advanced>Validate user IP address: TURN OFF
Since changing this setting, it always stays logged in.
Would you say this a secure method and solution for my issue?
If so, I can’t see any reason to have to investigate any further and hopefully this helps some others that may encounter this issue in the future.
pgr
1 July 2021 14:48
#12
You’re turning off a security feature.
I’m not sure how risky this actually is in real-life, I’m not a security expert…