I've been using Sitecore version 7.1 for a few months now and have noticed that the Sitecore client logs me out after being idle for around 20 mins. Also other users have reported these issues whilst content editing.
I'm using Windows 7, IIS 7, .NET framework 4.5.
I've checked the error log for anything and can see no obvious errors and the keepalive service is running - I get this information in the logs:
ManagedPoolThread #14 12:47:24 INFO Scheduling.UrlAgent started. Url:http://testsite/sitecore/service/keepalive.aspx
I get some of these in the log, but could this be related?
WARN Memory usage exceeded the MemoryMonitor threshold
When I go back to the site after leaving it for say 20 minutes.
I get these entries in the log.
952 15:08:28 INFO AUDIT (sitecore\grahams): Logout
952 15:08:28 WARN Protected page accessed with no current user
6440 15:08:28 INFO AUDIT (sitecore\grahams): Logout
6440 15:08:28 WARN Protected page accessed with no current user
Any body seen this happening before or have any suggests of how I could get to the bottom of this?
Thanks in advance
Ian
We are also experiencing the same or similar problems since upgrading several of our web sites to Sitecore 7.1. We have continued to investigate all of the settings mentioned above but have as yet to find an explanation.
This may help, depending on your situation...Sitecore has confirmed a new issue was introduced: when multiple users login with the same credentials, and one of them logs out, all the others are also logged out automatically.
They have released a temporary hotfix package designed specifically for 7.1 rev. 140130. You should ensure your solution is updated to this version before installing:
https://dl.sitecore.net/hotfix/Sitecore%20CMS%207.1%20rev.%20140130%20Hotfix%20405020-2.zip
Use the Install Package Wizard to apply the hotfix. Hopefully this will be included in the next 7.1 Update package.
UPDATE
I continue to have discussions with sitecore support on this issue and although they have not given me a definite fix or patch, there does seem to be a way to increase the timeout.
This is not without it's side effects but it is at least an option at this point. I am in the process of testing this out myself but I will share for now and update everyone on my progress.
Change or add the following three settings in your web.config (in the example below the timeout is 2 hours):
Client Timeout
<setting name="Authentication.ClientSessionTimeout" value="120" />
Forms Timeout
<authentication mode="None">
<forms name=".ASPXAUTH" cookieless="UseCookies" timeout="120" />
</authentication>
Session Timeout
<sessionState mode="InProc" ... timeout="120" />
There are a couple of configurations you need to checkout.
There is a client timeout setting in Sitecore:
<setting name="Authentication.ClientSessionTimeout" value="60"/>
Check that this is not set to 20 minutes.
Further you should check your session timeout here:
<sessionState mode="InProc" stateConnectionString="tcpip=127.0.0.1:42424" sqlConnectionString="data source=127.0.0.1;user id=sa;password=" cookieless="false" timeout="20"/>
I've experienced this is issue with Sitecore 8.2 rev 170728 (Update 5). In my case, the cause of the issue was that I was accessing the site through HTTP while the following setting in the web.config file was not allowing it:
<httpCookies httpOnlyCookies="true" requireSSL="true" />
The issue can be fixed by either making sure you access the site through HTTPS or by setting the attribute "requireSSL" to "false" in the above setting.
Related
I'm getting the following error on the Ohio server:
Failed to authenticate user due to missing information in request.
This suddenly started happening after using Glue for few months.
Error picture here
I've tried adding AWS onto my cookie allow list and still doesn't allow me. I've also tried restarting my machine and using another 2 browsers other than chrome yet still doesn't work. I'm the only one affected on the team it only happens on the Ohio server whilst NV etc work perfectly.
I had the exact same issue. Check that your browser does not block third-party cookies. Any browser that blocks third-party cookies either by default or as a user-enabled setting will prevent notebooks from launching (the typical error message is Failed to authenticate user due to missing information in the request.)
Chrome: Turn Off "Block Third-Party Cookies" in Chrome for Windows
Firefox: Third-party cookies and Firefox tracking protection
Safari: Clear cookies in Safari on Mac
I am having trouble accessing CM on Sitecore 9.2 (built on Azure PaaS) without getting a session timeout.
I have the following settings, but if I leave the browser open for more than 20 minutes with the launchpad displayed, and then click any button
After that, when I click on some button, I expected to be forcibly logged out, but
I expected that the session timeout would occur when I left the system for more than 20 minutes without logging out, and then clicked some button.
Please let me know if there is a way to force a session timeout logout.
Configuration details
(1) Web.config
<sessionState mode="InProc" cookieless="false" timeout="20" sessionIDManagerType="Sitecore.SessionManagement. CoditionalSessionIdManager">
(2) Sitecore
<setting name="Authentication.ClientSessionTimeout" value="20" />
I would appreciate your help.
I am also facing the same issue with Sitecore 9.3. You can try below solution if it works.
Set ExpireTimeSpanin Sitecore.Owin.Authentication.config which is given below for bow "PreviewCookieAuthentication" and "CookieAuthentication".
00:20:00
Then Set in sitecore.config.
It should work for 20 minutes. I am facing issue when I increase timeout value from 20 to 30 minute.
Whenever I select a message in ECM it redirects me to the login page of Sitecore with the following URL at the top
http://example.com/sitecore%20modules/shell/EmailCampaign/UI/Dialogs/MessageBody.aspx?message={79D6412B-824A-4349-8B94-9136D17C6E84}&lang=en&contact=Emailcampaign\exampleuser_at_example_dot_com
The following are the things I know about this issue:
Though this happens most of the times, Sometimes it will work for the same message and for the same preview user (For the contact mentioned in the URL above).
The sitecore user trying to access the message in ECM has all access rights for the message he is trying to access.
I have a test environment running on a different server where this works fine. But in the production environment it is not working.
I am running my site on Sitecore.NET 6.6.0 (rev. 121015) version.
When the sitecore redirects me to the login page with the above URL at the top. I cannot login using that page. I have to go to
http://example.com/sitecore/
in order to log back in.
The Item ID in the URL is correct and it points to the message that I am trying to view.
[Updated]
We resolved this issue by adding a custom preview handler in web.config like this
<previewManager defaultProvider="customPreview" enabled="true">
<providers>
<clear />
<add name="default" type="Sitecore.Publishing.PreviewProvider, Sitecore.Kernel" />
<add name="customPreview" type="PackageName.CustomPreview, PackageName" />
</providers>
</previewManager>
Here is the code behind for that custompreview:
public class CustomPreview : Sitecore.Publishing.PreviewProvider
{
public override void SetUserContext()
{
string shellUser = this.GetShellUser();
if (!string.IsNullOrEmpty(shellUser))
AuthenticationManager.SetActiveUser(shellUser);
else
{
if(!Sitecore.Context.User.Name.Split('\\')[1].Equals("Anonymous"))
AuthenticationManager.SetActiveUser(Sitecore.Context.User.Name);
}
}
}
[Old]
We resolved this issue. Strangely, this was related to badly configured load balancer. We still need to find what is going wrong in the load balancer but we don't face this issue when we remove one of the servers from the load balancer i.e., When the traffic goes only to one particular server, this issue doesn't occur. Since our test environment is deployed in only one server we never faced this issue there.
This sounds like there is something missing in the core database.
I would check to make sure the roles that ECM requires are present in the core database and also check that you have the correct setup to facilitate users with the domain emailcampaign\username.
If this doesn't resolve the issue there is a diagnostic tool you can run here to help you debug further:
https://kb.sitecore.net/articles/553662
Failing that contact Sitecore support - they have more tools to help with debugging issues with ECM
My company is using cfwebsocket on our ColdFusion 11 server. In the past it has worked fine, but recently we started getting this message every time we try to access the page that calls cfwebsocket:
Attribute validation error for the CFWEBSOCKET tag The channel entry specified for subscribeTo is not valid.
"testing123" is not a valid channel registered for this application.
However in our Application.cfc I have setup the channel:
<cfset this.wschannels = [{name="testing123"}] />
Another weird problem is that when I go to the WebSocket section of the ColdFusion Administrator. I get an error as well:
It's really weird because we had this working before. We haven't changed our firewall at all. Can anyone point me in the right direction?
If you have updated to Update 3 then the reason for the problems is due to Adobe breaking websockets in that update.
I submitted a bug just after it was released - http://bugbase.adobe.com/index.cfm?event=bug&id=3865461
Its been fixed and you can request a hotfix from them which does resolve the issue, otherwise you will have to wait until Update 4!
I am trying to set my cookie CFIDE and CFTOKEN to be HTTPOnly in Coldfusion 9...
Here is what I have tried (didn't error but didn't work):
cookie.CFID = "#session.cfid#,httpOnly='true'";
cookie.CFTOKEN = "#session.cftoken#,httpOnly='true'";
I also tried (no go...and no error):
cookie.CFID = "#session.cfid#;httpOnly='true'";
cookie.CFTOKEN = "#session.cftoken#;httpOnly='true'";
And this (which I think only works in CF10):
cookie.CFID = {value="#session.cfid#", httpOnly="true"};
cookie.CFTOKEN = {value="#session.cftoken#", httpOnly="true"};
Then this (didn't error but didn't work):
cookie( name="CFID" value="#session.cfid#" httpOnly="true" );
cookie( name="CFTOKEN" value="#session.cftoken#" httpOnly="true" );
When I run these I do a empty cache hard reload in Chrome. When the page reloads I should see the Resources Cookies HTTPOnly column show check boxes.
I'm probably exhausted and could have hit the right combo of things above and I got a false positive on failure from jumping around too much. Sometimes cached things get the best of me.
I have the CFML container style that works but my Application.cfc is all script style and I want to keep it that way...So how do I do this script style in Coldfusion 9?
Update for my fix:
I used the getPageContex() below, but it didn't work as it was. Also onSessionStart() event handler changed to create the session.CFID and session.CFTOKEN with the CreateUUID() which is also new in my Application.cfc file. So for posterity here is what that block of code looks like.
function onSessionStart(){
getPageContext().getResponse().addHeader("Set-Cookie", "CFID=#session.CFID#;path=/;HTTPOnly");
getPageContext().getResponse().addHeader("Set-Cookie", "CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly");
}
Another Note: For some reason if the session is cleared and the onsessionstart() handler is requested this set cookie stuff above will fail. There has to be a try catch block or exception handling of some sort added to account for a reload problem. The best thing is to upgrade to a patched up release of Coldfusion 10 (or soon to be released CF 11).
You can use the PageContext object to set cookies in cfscript:
getPageContext().getResponse().addHeader("Set-Cookie", "CFID=#session.CFID#;path=/;HTTPOnly");
getPageContext().getResponse().addHeader("Set-Cookie", "CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly");
For session cookies, there's an easier way.
Enabling server-wide HttpOnly session cookies
The ColdFusion 9.0.1 update added a server-wide setting to add the
httponly attribute to all session cookies created by ColdFusion (such
as the CFID and CFTOKEN cookies, or the JSESSIONID cookie on JRun). To
enable this setting, if you are running a JRun J2EE installation or
multi-server installation, you must edit jvm.config, otherwise you can
enable this setting from the CF Administrator. If you are running a
J2EE server other than JRun consult your documentation for an
appropriate setting. J2EE servers that support the Servlet 3.0
specification can specify
true
in the /WEB-INF/web.xml file.
http://www.adobe.com/devnet/coldfusion/articles/coldfusion-securing-apps.html
You can use this code in your application.cfc inside of the onsessionstart function.
<cfcookie name="CFID" value="#session.cfid#" httponly="true">
<cfcookie name="CFTOKEN" value="#session.cftoken#" httponly="true">
There is no way of setting this inside of cfscripts. cfcookie is not supported in script form in cf9. There are flags in the application settings added to CF10 to address this issue, however, CF11 will have full support for it inside of scripts. Unfortunately, I think you will have to forego the uniform code for functionality. Unless you have access to your CFIDE/Administrator. You can add a java argument to turn it on server wide. Add this to your JVM config
-Dcoldfusion.sessioncookie.httponly=true
All of this is detailed here http://www.petefreitag.com/item/764.cfm