Gone in 60 seconds when "admin/security/session_cookie_lifetime" not set #104
Comments
|
It is definitely not good for this field to not have a default value, but it seems this should be a Magento fix since it originates there.. Perhaps just a README notice would be more appropriate since the best fix really is for the user to set whatever value is appropriate for their store (although I think Magento should choose a sane default like at least 3 hours (considering PCI requirements are pretty strict). |
colinmollenhour
added a commit
to colinmollenhour/magento-lts
that referenced
this issue
Jul 13, 2017
seansan
added a commit
to seansan/magento-lts
that referenced
this issue
Nov 17, 2017
* Added missing functionality for getThumbnailUrl
* Import Magento Release 1.9.3.2
This is part 1 of 2 and covers all the non-copyright messages changes
Fingerprint of original file:
> openssl sha1 magento-1.9.3.2-2017-02-07-01-57-07.tar.bz2
SHA1(magento-1.9.3.2-2017-02-07-01-57-07.tar.bz2)= 16d15f00a1898c4706b4bcf5501d9aa360c87f5b
Commands used:
> cd magento-mirror
> rm -rf * .ht*
> tar xvf ../magento-1.9.3.2-2017-02-07-01-57-07.tar.bz2 --strip-components=1
> LC_ALL=C find -E * -type f -regex '.*\.(php|php\.sample|phtml|js|css|scss|sh|xml|xml\.(dist|sample|additional|template)|xsd|csv|mxml|as)' \
-exec sed -i '' 's/2006\-2017 X/2006\-2016 X/g' {} + \
-exec sed -i '' 's/2017 Magento/2016 Magento/g' {} + \
-exec sed -i '' 's/2017 Phoenix/2016 Phoenix/g' {} +
> sed -i '' 's/2006\-2017 X/2006\-2016 X/g' mage
> git add -A .
> git commit
* Import Magento Release 1.9.3.2
This is part 2 of 2 and covers all the copyright message changes
Fingerprint of original file:
> openssl sha1 magento-1.9.3.2-2017-02-07-01-57-07.tar.bz2
SHA1(magento-1.9.3.2-2017-02-07-01-57-07.tar.bz2)= 16d15f00a1898c4706b4bcf5501d9aa360c87f5b
Commands used:
> cd magento-mirror
> rm -rf * .ht*
> tar xvf ../magento-1.9.3.2-2017-02-07-01-57-07.tar.bz2 --strip-components=1
> git add -A .
> git commit
* disable 'ALTER TABLE ... DISABLE KEYS' statements by default, and remove useless calls to useDisableKeys()
* Fixed add poll answer delete button
* [BUGFIX] Fix switching between customer addresses in the admin panel
* make sure address data is reset for each loop iteration
* stop setting empty region field to '0' when switching between saved addresses
Fixes OpenMage#193
* Fixed customer account downloadable list (OpenMage#242)
Testing github "Squash and Merge" method.
* Removed unreachable js
* Add SUPEE-4814
This fixes an infinite recursion loop when validating a "Products subselect" cart price rule.
Apparently the patch only got released for EE, but CE suffers from the same problem. :/
source: https://gist.github.com/piotrekkaminski/54529dadb0bc01a62a2d
* Updated Mage_Catalog_Model_Resource_Url
Updated Mage_Catalog_Model_Resource_Url, fixed is_active attribute when calling _getCategories()
* Import Magento Release 1.9.3.3
* Updated readme.md (OpenMage#270)
Just grammar pirate.
* This bug was present begining in 1.7.0.2 and is still present in 1.9.3.3. This patch has been running in production for about 4 years without any issues.
Code was mis-calcuating the qty of simple items to put back in stock for bundle (and configurable) products.
For example if you had a Bundle X that contained 10 Widgets and the customer ordered 10 of the Bundle X (thus they ordered 100 Widgets), the code previously would multiply twice when issuing a credit memo: When calling $item->getQty() on the Widget product Magento would return 100, since that's how many exist in the order. It would then multiply that by the number of Bundle X in the order (10), and would return 1000 items to the inventory for the Widget, instead of just 100.
* Possible fix of OpenMage#282
Possible fix of OpenMage#282
OpenMage#282
* Fix missing imagecreatefromwbmp
Fix missing imagecreatefromwbmp from https://magento.com/tech-resources/bug-tracking/issue/index/id/1504/
* Typo in Mage_Admin_Model_User
* Typo in Mage_Admin_Model_User
* Fix SKU chooser widget attributes to select which should be an array.
* Typo in category controller
* Typo in category controller
* [FIX] set email as sent only if customer notified
In all other places where a "email" flag is used, email_sent is only set if the flag is true.
PS:
In my opinion, the $notifiyCustomer condition is a better solution than assigning $notifiyCustomer directly to "email_sent". One can send invoices/creditmemos multiple times. Just a second run could make it look like an email was never sent (even though it was sent in the first run).
* Import Magento Release 1.9.3.4
* Set sane default session_cookie_lifetime (3 hours)
Refs colinmollenhour/Cm_RedisSession#104
* remove leftover 1.9.3.2 package files
* fix ssl version
./mage list-upgrades
Error:
list-upgrades: TCP connection reset by peer
remove specific ssl version, first because version specified TLS v1 is not supported by connect20.magentocommerce.com
https://www.ssllabs.com/ssltest/analyze.html?d=connect20.magentocommerce.com&s=52.3.167.65
and second because server can choise right version byself
tested on centos
PHP 5.5.38 (cli) (built: Feb 18 2017 08:04:56)
curl 7.54.1 (x86_64-redhat-linux-gnu) libcurl/7.54.1 NSS/3.28.4 zlib/1.2.7 libpsl/0.7.0 (+libicu/50.1.2) libssh2/1.8.0 nghttp2/1.21.1
* Fix slow url_rewrite query on MySQL 5.7
Fixes: OpenMage#295
* Fixes system config dependencies for multiselect fields
* Fixed undefined variable when creating shipping labels
* Adds product add to cart event
* Add possibility to remove link at sales order and account edit page
* Fixes hidden checkout config, fixes OpenMage#259
* Fixes wrong usage of getSelect()->order() method
* Use joinLeft instead of joinInner to fix customers missing from reports.
Refs OpenMage#41
Refs OpenMage#241
This commit also reverts db69295
* cloudflare reset current path in file manager
check also if is post request on set current path because i've got an issue with cloudflare that make a PURGE request like this:
[REQUEST_METHOD] => PURGE
[CONTENT_TYPE] => application/x-www-form-urlencoded; charset=UTF-8
[CONTENT_LENGTH] =>
[SCRIPT_NAME] => /index.php
[REQUEST_URI] => /index.php/gestione/cms_wysiwyg_images/contents/type/image/key/e0b288aa6c56c42688c45a7f0ef4340e/?isAjax=true
without POST parameters and reset current path on file manager to the root / and with the result of we are unable to upload or delete a file.
this resolve issues with cloudflare at application level but you can fix problem at server level by limit methods on nginix to request uri
contains *cms_wysiwyg_images*
for examples (not tested):
location ~ cms_wysiwyg_images {
limit_except POST {
deny all;
}
}
* Fixed typo, fixes OpenMage#334
* Update README.md regarding versioning strategy. Refs OpenMage#273 (OpenMage#333)
* Create .travis-ci.yml adding PHP lint
* Allow PHP 7.2 to fail for now.
* Exclude lib/PEAR and lib/phpseclib from PHP Lint test.
* Fix PHP lint path pruning.
* Actually fix PHP lint path pruning.
* Fix errors found via PHP lint.
* Speed up lint by excluding lib/Zend
* Import Magento Release 1.9.3.6
* Update patch list
* Remove rej file
* Fixed removeAccents method for german umlauts
* Fixed typo in Mage_HTTP_Client_Curl, fixes OpenMage#281
* Removed obsolete files, fixes OpenMage#352
* Make Mage registry related methods consistent
* Fix bug with missing close parenthesis
* Added missing comma, see OpenMage#317, fixes OpenMage#370
* Remove stray block element in checkout.xml
edannenberg
pushed a commit
to edannenberg/magento-lts
that referenced
this issue
Nov 27, 2017
edannenberg
pushed a commit
to edannenberg/magento-lts
that referenced
this issue
Dec 6, 2017
edannenberg
pushed a commit
to edannenberg/magento-lts
that referenced
this issue
Dec 6, 2017
edannenberg
pushed a commit
to edannenberg/magento-lts
that referenced
this issue
Feb 28, 2018
edannenberg
pushed a commit
to edannenberg/magento-lts
that referenced
this issue
Mar 20, 2018
edannenberg
pushed a commit
to edannenberg/magento-lts
that referenced
this issue
Jul 17, 2018
edannenberg
pushed a commit
to edannenberg/magento-lts
that referenced
this issue
Sep 19, 2018
|
Just ran into the same issue. Since Magento has no default value for |
|
Why not use OpenMage/magento-lts where this has already been fixed? The backend should not be responsible for determining app-level config like cookie lifetimes. |
|
The issue is that by default, if
This is not the way I would expect. Usually, switching the session backend should not change the session lifetime IMHO. |
|
Fixed in 26b4711 by using the cookie lifetime if the admin lifetime is empty. |
|
Good work. Thanks for the fix @colinmollenhour |
|
Thanks @colinmollenhour! |
edannenberg
pushed a commit
to edannenberg/magento-lts
that referenced
this issue
Feb 14, 2019
edannenberg
pushed a commit
to edannenberg/magento-lts
that referenced
this issue
Apr 1, 2019
edannenberg
pushed a commit
to edannenberg/magento-lts
that referenced
this issue
Aug 22, 2019
edannenberg
pushed a commit
to edannenberg/magento-lts
that referenced
this issue
Oct 25, 2019
edannenberg
pushed a commit
to edannenberg/magento-lts
that referenced
this issue
Aug 20, 2020
randallelliott714
added a commit
to randallelliott714/magento
that referenced
this issue
Oct 18, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi @colinmollenhour,
Today we had the second case of a shop having the problem of being kicked out of the backend after only 60 seconds of inactivity. You can image this is a frustrating situation for shop owners.
So I investigated a bit deeper this time.
I discovered in these shops the config field
admin/security/session_cookie_lifetimewas empty.In Model/Session/Config.php line 130 this config field is retrieved. When the field is empty, the result will be NULL and later on the value of
min_lifetimefromlocal.xmlwill be used.Would it help if I propose a pull request with a fix for this, or maybe you can create a quick fix for it yourself?
For these customers the solution was simply to set the config field, which I used N98 for:
For the future it would be nice to have this fixed, so other people don't need to investigate the same problem. I don't know how the config field became empty. Can't image both of these customers did it on purpose.
The text was updated successfully, but these errors were encountered: