Hi all
I'm using FEU on a website but am finding that the users arent being logged out when they close the browser window... my reading of the help file suggests this should happen. If I close the browser window then open a new one and go back to my 'secure' page I can still access it.
I need to make this work as otherwise the content is not secure on shared computers - does anyone know how to fix this?
Using latest versions of FEU and CMSMS
Many thanks
FEU not logging out user on window close
-
- Forum Members
- Posts: 192
- Joined: Mon Nov 26, 2018 3:09 pm
Re: FEU not logging out user on window close
I haven't tested it, but it would likely need all instances of the browser (all tabs, all windows) to be closed - not just the tab in question.
Not getting the answer you need? CMSMS support options
-
- Forum Members
- Posts: 192
- Joined: Mon Nov 26, 2018 3:09 pm
Re: FEU not logging out user on window close
ok, just tested - same problems still even if closing all tabes/windows.
Also, I fully quit the browser - and reopened - am still logged in!
j
Also, I fully quit the browser - and reopened - am still logged in!
j
Re: FEU not logging out user on window close
Probably best to file a BR then - if you can recreate it consistently (and for sure aren't using the "remember me" functionality) then it may be a bug in FEU 3.x. A lot of people are sticking with FEU 2.x as it tends to be a lot more stable, so if it's a new site and not to late, that may be an option until 3.x improves or another option presents itself.
Not getting the answer you need? CMSMS support options
Re: FEU not logging out user on window close
I believe this is a feature of some browsers. They just don't remove session cookies for your 'convenience'.
In Chrome/Brave for example this is said to be caused by the 'Continue where you left off' setting. You may want to test that.
So you should realize that this feature exists and instruct users accordingly. In my opinion shared computer - especially sharing one account - are not safe by design.
In Chrome/Brave for example this is said to be caused by the 'Continue where you left off' setting. You may want to test that.
So you should realize that this feature exists and instruct users accordingly. In my opinion shared computer - especially sharing one account - are not safe by design.
-
- Forum Members
- Posts: 192
- Joined: Mon Nov 26, 2018 3:09 pm
Re: FEU not logging out user on window close
ok thanks - will look into that... though is doing it on a couple of different browsers so not sure its a browser setting
The remember me function is disabled via config setting so definitely isnt that
Re going back to version 2.x ... what are the implications here, will my page templates/code etc still work with v2, is all that I'm sacrificing the fact that I will just have to set up the users/groups again in FEU?
I'm not sure FEU is actively being supported at the moment as I submitted a bug report about another issue with this version too ...
The remember me function is disabled via config setting so definitely isnt that
Re going back to version 2.x ... what are the implications here, will my page templates/code etc still work with v2, is all that I'm sacrificing the fact that I will just have to set up the users/groups again in FEU?
I'm not sure FEU is actively being supported at the moment as I submitted a bug report about another issue with this version too ...
-
- Forum Members
- Posts: 192
- Joined: Mon Nov 26, 2018 3:09 pm
Re: FEU not logging out user on window close
also, I've just looked in my browser dev tools at the cookies, I can see that a cookie gets set with an 8 hour expiry time
I can see other cookies for other functionality have the word 'session' instead of an expiry time ... so I'm thinking is FEU setting the right type of cookie? I dont really know how these things work so not sure! In the help file it states this:
I can see other cookies for other functionality have the word 'session' instead of an expiry time ... so I'm thinking is FEU setting the right type of cookie? I dont really know how these things work so not sure! In the help file it states this:
Obviously the 8 hour part of that works, but not the 'session' part! Does anyone know if I can change the modules code to explicitly set it as a session cookie?Otherwise, a session cookie is created which is deleted or expires when the user closes the browser or 8 hours has occurred. Whichever comes first.
Re: FEU not logging out user on window close
I'm not sure how much work it would be to go back to 2.x, I imagine some template changes would be needed. Last we heard the developer was "taking a break" but still intended to be involved with cmsms.
You're certainly welcome to edit the code but it can be a bit of a dangerous path. Help won't be provided on the forum unless you fork the module first (and we don't provide code hacks because people will find them and use them out of context, then expect support).
You could try contacting the module developer to see if you can sponsor an update, or see if anyone is already working on a fork and offer them sponsorship.
You're certainly welcome to edit the code but it can be a bit of a dangerous path. Help won't be provided on the forum unless you fork the module first (and we don't provide code hacks because people will find them and use them out of context, then expect support).
You could try contacting the module developer to see if you can sponsor an update, or see if anyone is already working on a fork and offer them sponsorship.
Not getting the answer you need? CMSMS support options
-
- Forum Members
- Posts: 192
- Joined: Mon Nov 26, 2018 3:09 pm
Re: FEU not logging out user on window close
ok - thanks, I actually tried contacting the dev re the other bug and offering beers/coffees but no reply. This is assuming his cmsmadesimple.org email address is still active ...
If anyone would like to PM with with a solution that might involve code change it would be more than welcome!!
Its a little awkward as I've been championing CMSMS to clients for a while but getting to the point lately where things just aren't working as they should with some key modules... really don't want to have to switch to the dreaded Wordpress! As primarily a designer rather than a coder, CMSMS has always been more intuitive for me.
If anyone would like to PM with with a solution that might involve code change it would be more than welcome!!
Its a little awkward as I've been championing CMSMS to clients for a while but getting to the point lately where things just aren't working as they should with some key modules... really don't want to have to switch to the dreaded Wordpress! As primarily a designer rather than a coder, CMSMS has always been more intuitive for me.
Re: FEU not logging out user on window close
Nothing useful to add I'm afraid, but we're having a similar issue.
If a logged in user doesn't interact for long enough for the PHP session to close but not as long as the expiry time of the FEU cookie, then when they try to access the site again it thows a 502 error and they either have to clear their cookies or wait for the FEU cookie to expire.
We can mitigate this a bit by fiddling with the session lifetime in PHP ( session.gc_maxlifetime ) and the expiry value of the FEU cookie ( authtoken_expiry_hours in feu_settings.json) but it's not really a proper solution.
As Johnboyuk1 says, it should be setting a session cookie rather than a cookie with an 8 hour expiry time. Hacking the code to actually set a session cookie though just results in the user being instantly logged out so there's obviously more in depth work to be done than I have time for at the moment.
If a logged in user doesn't interact for long enough for the PHP session to close but not as long as the expiry time of the FEU cookie, then when they try to access the site again it thows a 502 error and they either have to clear their cookies or wait for the FEU cookie to expire.
We can mitigate this a bit by fiddling with the session lifetime in PHP ( session.gc_maxlifetime ) and the expiry value of the FEU cookie ( authtoken_expiry_hours in feu_settings.json) but it's not really a proper solution.
As Johnboyuk1 says, it should be setting a session cookie rather than a cookie with an 8 hour expiry time. Hacking the code to actually set a session cookie though just results in the user being instantly logged out so there's obviously more in depth work to be done than I have time for at the moment.