Auto log out of SuiteCRM

jpeterson · 18 June 2021 12:43

Hi, We have an issue where one admin accounts get auto logged out when the page is idle for 15 seconds or so.
For example, I try to create a lead, in the time it takes to complete the fields, you click submit and the page says “You have been logged out because your session has expired.”

We have two admin accounts on our SuiteCRM and it seems that one does it more often than the other but it is a constant problem for both. Does anyone know how I can fix this?

Many thanks for your help.

pgr · 18 June 2021 13:11

You can start by checking if your server disk is full.

Then go in SuiteCRM, Admin / Diagnostics / phpinfo, and find out your session.save_path directory.

Then check if that directory is either

non-existent
full of thousands of files
non-writable

jpeterson · 30 June 2021 10:59

Hi, Thanks for your message and sorry for delayed response.

If by server disk you mean web server, I am sure it is not full.

I tried going to your location detailed above but I am not sure what to do. Can you please provide a more indepth explanation?

Please see screenshots below of where I went into:

pgr · 30 June 2021 11:17

Unselect all those check boxes except the one saying Output from phpinfo.

Click the button to download the zip, unzip it, then open the resulting HTML file in a browser, and check what it says about session.save_path

Find that directory on your server and examine it.

jpeterson · 30 June 2021 11:38

Thanks for the prompt reply.

There are two columns showing file location - would this be the local value?

Local Value= sessions/
Master Value= /opt/alt/php72/var/lib/php/session

jpeterson · 30 June 2021 12:03

If it is the following sessions/ folder I have 4 files in there which i have downloaded… but i am not sure what to do now.

jpeterson · 30 June 2021 12:44

Further so, my web host suggested to try the following:

Admin>System Settings>Advanced>Validate user IP address: TURN OFF

And it seems to have resolved the issue for now… it doesn’t seem to be logging out constantly.

Would you say this is a practical solution for the above?

pgr · 30 June 2021 17:40

If that workaround solves it, then I would say your problem is not related to session.save_path.

Check your values in config.php:

host_name
site_url

make sure they match your actual site address. I am not sure if this is related to that option you changed, but I am guessing it might…

jpeterson · 30 June 2021 18:58

I have checked the config.php and the details you mentioned are as follows:

'db_host_name' => 'localhost',

‘site_url’ => THIS IS SHOWING THE CORRECT URL BUT I HAVE NOT POSTED FOR CONFIDENTIAL PURPOSES

“I am not sure if this is related to that option you changed, but I am guessing it might…”
Do you mean the option I changed may have fixed this in the config.php?

After further testing, i do not get logged out after changing this setting:
Admin>System Settings>Advanced>Validate user IP address: TURN OFF

pgr · 1 July 2021 10:46

Note that db_host_name is not the same key as host_name.

Your work-around setting is used here:

github.com

salesagility/SuiteCRM/blob/d57e91389d97791fe621d811f03fe05f8f5a7f78/modules/Users/authentication/SugarAuthenticate/SugarAuthenticate.php#L376


        }
        unset($_SESSION['factor_message']);
    }
    return $factorMessage;
}
/**
 * Make sure a user isn't stealing sessions so check the ip to ensure that the ip address hasn't dramatically changed
 *
 */
public function validateIP()
{
    global $sugar_config;
    // grab client ip address
    $clientIP = query_client_ip();
    $classCheck = 0;
    // check to see if config entry is present, if not, verify client ip
    if (!isset($sugar_config['verify_client_ip']) || $sugar_config['verify_client_ip'] == true) {
        // check to see if we've got a current ip address in $_SESSION
        // and check to see if the session has been hijacked by a foreign ip
        if (isset($_SESSION["ipaddress"])) {

which calls this function

github.com

salesagility/SuiteCRM/blob/d57e91389d97791fe621d811f03fe05f8f5a7f78/include/utils/security_utils.php#L102


    return $allowed;
}
function get_user_disallowed_modules($user_id, &$allowed)
{
    $role = BeanFactory::newBean('Roles');
    $disallowed = $role->query_user_disallowed_modules($user_id, $allowed);
    return $disallowed;
}
// grabs client ip address and returns its value
function query_client_ip()
{
    if (!empty($GLOBALS['sugar_config']['ip_variable']) && !empty($_SERVER[$GLOBALS['sugar_config']['ip_variable']])) {
        return $_SERVER[$GLOBALS['sugar_config']['ip_variable']];
    } elseif (isset($_SERVER['HTTP_CLIENT_IP'])) {
        return $_SERVER['HTTP_CLIENT_IP'];
    } elseif (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
        return $_SERVER['HTTP_X_FORWARDED_FOR'];
    } elseif (isset($_SERVER['HTTP_X_FORWARDED'])) {
        return $_SERVER['HTTP_X_FORWARDED'];
    } elseif (isset($_SERVER['HTTP_FORWARDED_FOR'])) {

Having seen that, I don’t think it is related to site_url or host_name. Sorry for misleading you.

Maybe that code can give you some clues about why you’re getting that error in the first place. But at this point I am running out of ideas.

jpeterson · 1 July 2021 12:17

We are having no issues at all since doing the following setting:
Admin>System Settings>Advanced>Validate user IP address: TURN OFF

Since changing this setting, it always stays logged in.

Would you say this a secure method and solution for my issue?

If so, I can’t see any reason to have to investigate any further and hopefully this helps some others that may encounter this issue in the future.

pgr · 1 July 2021 14:48

You’re turning off a security feature.

I’m not sure how risky this actually is in real-life, I’m not a security expert…

RickfiregamesPT · 4 April 2025 10:33

Hey, it has been a long time but lemme still explain the Risks it can impose:
Session hijacking is now possible since CRM doesn’t validate the IP anymore,If your session cookies get stolen due to compromised network anyone in the World Wide Web can use them to authenticate, even if u Logout. A few weeks ago i made some trials about this to “pentest” the security and with this option ON even if i stole the session cookies it would log me out and clear it because i “suddenly” changed my location from Africa to China for example.
My recomendation would be to check the php settings on timeout but leave this feature on

IJLfinancial · 25 August 2025 15:15

Had the same issues as presented above.

Our quick fix was also:
Admin>System Settings>Advanced>Validate user IP address: TURN OFF

However, in the environment this CRM sits in it didn’t allow for us to keep the Validate user IP address OFF as a permanent fix.

After looking at logs the cause was a new install of Chrome where the user logged into their profile. When chrome brought over the existing cookies it would cause the system to log them out every 15 mins or so.

The FIX: Clear your cookies and log in. Test, if the logouts stop. Then turn back on Validate user IP address, as per the work @RickfiregamesPT noted. We were also able to verify his work. Cheers! Hope this helps someone.