3.0.2 Manager Logs me out after 20 sec, browser (Cookie “PHPSESSID” “SameSite” error)

mclauand · December 29, 2022, 11:57pm

I’m in the process of upgrading to v3.0.2 (from 2.8.4) and post-install I’m able to login, and things appear to be working, but I get logged out within ~20-30 seconds. The login window pops up with this error: “Your session has expired. Please proceed to login again.”

I’m seeing this error in devtools:

Cookie “PHPSESSID” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read SameSite cookies - HTTP | MDN

Not always, but often it then sends me back to the home page, and in dev tools I see a 404 for GET https://domain.com/manager/?a=resource/update&id=286 404 (Not Found). If I refresh I often get logged back in, but then shortly after get prompted to login (often before I can do anthing).

This is happening in Chrome, Firefox, and Safari. I’ve dumped my cache in core/cache, as well as cleared cookies (over and over). I’ve also tried an incognito/private browser tab, and same thing.

Thanks!

mclauand · December 30, 2022, 2:37am

Also worth mentioning is that while refreshing does sometimes take me back into manager, more often that not it continues to load the home page, and dev tools returns this:

GET https://domain.com/manager/ 404 (Not Found)

Clearing my cookies and dumping the core/cache, and then refreshing, takes me back to the manager login.

Is this a session issue?

mclauand · December 30, 2022, 3:37am

Both the session_cookie_lifetime and session_gc_maxlifetime values in the database are already set to 7 days (604800 seconds), so I’m not sure it’s related to session expiration.

bobray · December 30, 2022, 6:15am

Do you have a call to a URL with http rather than https anywhere (say, for an image)? That would start a new session.

Forcing https in .htaccess might be a good way to prevent this.

halftrainedharry · December 30, 2022, 8:59am

There is a system setting “session_cookie_samesite” to address this.
But I doubt that this warning is the cause of your issue.

mclauand · January 4, 2023, 6:08pm

Figured it out. Our host had accidentally booted a backup VM of our server at the same IP. So the session was ending when the other server would receive the request, respond, and log me out. So frustrating, but glad to have it figured out. Thanks for your help!

bobray · January 7, 2023, 6:34am

I’m glad you got it sorted. Thanks for reporting back.