Cake 3.8 Authentication randomly logs people out

It seems as though no matter what i set the session length to, cake randomly logs people out while browsing from page to page, and I can’t find anything in the error logs that would indicate why it is doing this… I googled around a bit and saw that it has something to do with security level, but that is vague i want to know what exactly causes this so i can try and stop it from happening without downgrading security level.

I’ve seen sessions seem to run short too and haven’t yet dug into the reason. But you should be able to use RememberMe cookies as an alternative for long logins (and across sessions too). https://book.cakephp.org/authentication/2/en/authenticators.html#cookie-authenticator-aka-remember-me

i already have that, it still kicks people out for whatever the “security” issue is, even if they’ve checked Remember Me

For session lifetime, make sure that you have both Cake and PHP set up. The default session lifetime in PHP is pretty short.

The session time is very short, maybe 15 minutes. You need to rely on the cookie login keeping the authentication alive. You need increase your cookie expiry for this.
In cfg\app.php look for

    'Session' => [
        'defaults' => 'php',
    ],

and add a timeout value, for instance, for 1 day put this: -

    'Session' => [
        'defaults' => 'php',
        'timeout' => 24*60 //in minutes
    ],

I hope this helps, sorry if I got it wrong.

(Edit: I’m using Cake 4, the syntax may be different / wrong place to Cake 3.8)

again, this is not relevant… the session lifetime settings are fine (30 minutes) and it still kicks people out randomly. sometimes after just 2 or 3 minutes… sometimes it lasts all 30 minutes without logging out… there’s no particular pattern to it, it just seems very random. it is not session lifetime settings.

it’s something to do with Security being set to High, but i don’t know what causes it.

Forum-members can’t see the results of your google research, but what makes you think it’s about a security level (of what)? Maybe you could give links to info found, and forum-members can evaluate your findings?

Forgive my presumption but there are a couple of things I have noted which can affect log in times of online apps - I can’t say whether these apply to CakePHP specifically, but it may be worth noting.

  1. If the user has cookies blocked it can logout the user at any random time, even almost immediately if the app relies on the cookie for that extra security.

  2. A more obscure cause could be if the user is on an Android and using Chrome, and they have enabled “Lite mode” (which can be turned on by default) or another form of data saver on the browser. That uses Google’s proxy servers to provide the static parts of the form to the user, with the side effect of that being Google’s servers show as the user’s IP. So if high security is also checking the user’s IP that can change as it were, as Google’s servers represent the user in the fetch - thus different IPs.

That may be could help, as those have messed with my credential serving on other web apps.

Cheers
Jonathan

Here several times it is stated in different language that “Security.level on high will do that”

The post you copy is 10 years old. It’s about cakephp 2 I think? You’re using 3.8 (title), so don’t know if your guess about security level is involved will be valid.

I did search on my 4 install, and couldn’t find a ‘security.level’, but maybe I didn’t search in the correct way.

Moreover:

If you use concurrent ajax calls on those page or you load images / other resources trough some php proxy then it may be related to session lock issue.

What is the session.save_handler that you use? ( phpinfo() will tell you this).

phpinfo says “files” but my sessions are configured in Database in my config/app.php

Hey @b747fp did you find a solution to the random logouts?