CMS Made Simple Forums

I thing that has bitten me quite a few times already it that the session had expired while I was busy editing a page (or walked away while editing to do other things). Especially when you are editing bigger text this will happen once in a while. If you login after that, the page you were editing is blank (might be a bug?). Hitting the back button does not help either, (at least in firefox) as it will try to reload the page, nixing the edits you have made since the last save.

This happens with cmsmadesimple 0.11.2 on Debian Linux, with a firefox 1.0.7 browser and no FSCKeditor.   

well, what I do with larger content entries, regardless of the cms package used, is a separate editor and then paste the content into the textarea or editor of the cms. i actually gather/type all the content separately on new deployments.. so much easier having the tools of a regular editor available, and i can pass copies of content off to the site owners for approval before getting added (or they provide it all to me digitally in the first place).

That is true, a true editor is so much nicer. But the downside is that you'll end up with content in two places: in your editor and in your cms. But it does not solve the problem of expiring sessions. If you want a simple thing you cannot put a timelimit on editing like that. Maybe some asynchonous javascript could keep the session alive while the page is still open? That might soleve the problem of not knowing what is going on security wise.
If users need a security feature that locks acces after a certain amount, it should be on the users workstation, not IMHO in the simple program they use.

having content in two places is no big deal, considering you only had to copy/paste to get it to the second place. the first is just your extra backup in case technology fails.

and about the timeouts.. i don't think i've ever had a session timeout on me. in fact, i've been logged into two different admin panels for the better part of 12 hours now, the last 5 have seen me not even here. yet i go back to them and i'm still logged in to both.  but then i also don't normally leave the panel open in an editor of some sort for an extended period of time.

perhaps this is the answer? if it's timing out on you after an hour (3600 seconds)..

admin/login.php:        setcookie('cms_admin_user_id', '', time() - 3600);
admin/login.php:        setcookie('cms_passhash', '', time() - 3600);

if that is the spot, maybe it could be changed to a config variable so that people could extend it easy enough without having to edit the core code.

Actually, that section of code logs the user out.

Basically, when you login, a cookie with the user_id and a hash are created, and a session is created as well.  The cookie is a session cookie, meaning that it is killed when the browser is closed.

If the session times out, the system them looks for the cookie and reconstructs the session.  So, basically, the user should never be logged out unless the browser is closed or the logout button is pushed.

In other words, this is a bug if it's timing out in 20 min...

silly me, i didn't see the - signs.

but the persistant session would explain why i never get timed out... it's actually kinda handy, but perhaps a configurable admin session length would be prudent for security?

Well, I certainly am logged out, and it really is frustrating
I am not convinced yet it is a bug, but I would not mind logging another bug if that helps things.
I have certainly not closed the browser or pressed a logout button. I appears to funcion partially correct though, as after login I get the correct page, but without the values I submitted in the timed out session. Maybe adding the previoous POST parameters as hidden input in the form(properly sanitized offcourse) will fix it?

Could it be related to me always having 3 different tabs with the admin section and frontpage open?  To reiterate: the browser I use for it is Firefox, as konqueror triggers a bug when submitting content. This all is on Debian Linux (testing).

No, cookies are alive and well. Just looked, and I have 4 from my cmsms domain: a CMSSESSIONID, cms_admin_user_id, cms_passhash and cms_language. Can it be that the passhash is not correct? that would explain something.

BTW, what platforms is cmsms being developed on? Am i pushing the envelope or are some dev's using linux too?

Well, good luck with the dev stuff then. I'd always assume you realise that you have become a dev, not that you can plan to become one. But maybe I am naive in that, I just do whatever I like.

Anyway back to the problem at hand: if I remove the session cookie manually. I get the same problem, so that narrows it down to the passhash not functioning properly.
Same with other account or after changing the password. That makes me think it is a genuine bug. I'll log now.

Just to reply to to myself: does anybody have a testlogin anywhere where it can try to establish if the thing goes wrong on the client side or the server side?

jelle wrote: Just to reply to to myself: does anybody have a testlogin anywhere where it can try to establish if the thing goes wrong on the client side or the server side?

there's a demo installation of 0.11.2 at www.opensourcecms.com

Thank you. (realised that myself the moment i hit submit...)

Tried the same approach and it will restore my session. It does not redirect me to the login as does my install.  That means this problem is restricted to my install...