[Support] Users being auto logged out of form.

hi guys,

I am having a problem with the session on the forms.

I keep getting the error.

"* Your session has expired. Please log in again.
There is no form with this name or may be the form is unpublished, Please check the form and the url and the form management"

In an attempt to bypass this problem I started making users register before being able to access the forms. However I'm still randomly getting the error...but only when mysteriously users are being forced to logout for no apparent reason. After all this I was worried my site may be compromised so I installed RSFirewall, scans show no php files have been compromised.

check token is OFF
session is set to 15 minutes (in global configuration backend)

Advice?

Hi Andrew,
This is a combination of a few factors, though the main issue is the 15min session expire.
What happens, is that ChronoForm uses the Joomla! tokencheck feature, which is intended to prevent robots from spamming the form. A token is added to the form, and checked upon submission. Part of this check, is to verify that the session has not yet expired (the 15 min limit). If it has, the user is logged out, and the logon form is shown.

Your options are somewhat limited:
[list]

Increase the session timeout to a large enough value

Add the Keepalive javascript to your form:

<?php echo JHTML::_('behavior.keepalive'); ?>

Edit ChronoForms to disable the tokencheck, you'll find a few threads of mine on the forum with details on how to fix this.

[/list]

/Fredrik

This occuring in under 3 mins of login time.
CheckToken is already OFF

Thank you reading
http://www.chronoengine.com/forums/index.php?option=com_chronoforums&cont=posts&f=2&t=15864&p=56548&hilit=session+problem#p40459

Hi Andrew,
That is odd. What kind of session storage do you use?

/Fredrik

database handles session, default joomla 1.5.20 (current)

I'd be happy to give you access, if desired.

Found this bug post in Joomla Dev. possible connection? Read Adddate: 2010-09-09 14:39:05
http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=20255

Article covering 1.5.20
http://www2.pixellight.com/solutions/joomla_session.php

I'm going to insert

<?php JHTML::_('behavior.keepalive'); ?>

I'll report back soon.

Hi Andrew,
Hmm.. I can only see two causes for a session expiring early; The session cookie sent to the browser is lost or corrupted, or the session record stored on-site is lost or corrupted.
If you had been using the file storage ('none'), then I would have suspected this, as some serveradmins are very keen on clearing temp-files. Any record in the DB however, should persist, so I doubt this is the issue.

That means we are most likely looking at the client cookies. Do you know if the issue is bound to a limited set of your visitors? (always happens to the same visitors)

/Fredrik

I have 5 different computers here all are experiencing the same problem.

IPhone, Firefox, IE and Chrome. My client base is small I generally handle attorneys so I really can't give you more than that.

I've inserted keep alive, the forms haven't broke yet but the error was randomly occurring anyway. Maybe 1 out of 10 submissions.

The problem only persists if the user is forced to logout. Then the form fails.

Oh one other thing if I force a menu link to open in the new window (not tab) to a chronoform the glitch occurs more often.

Brb going for a smoke. Thank you Fredrik

Ok. now it's failing even with the "keep alive" code.

Randomly kicking the user session, forcing logout or something... and failing the form.

I should have to have users register to try go around this session problem..but w/e lol.

I'm beginning to believe this is the problem as discussed here: CLIENT COOKIE

Found this bug post in Joomla Dev. possible connection? Read Adddate: 2010-09-09 14:39:05
http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=20255

Article covering 1.5.20
http://www2.pixellight.com/solutions/joomla_session.php

Hi Andrew,
That looks very interresting! A simple way of testing this, would be to try and use Firefox instead of IE and see if the issue disappears.

/Fredrik

Fredrick

Could you help me apply this patch here and maybe document it in this thread?

Firefox is breaking, every broswer I use breaks the session randomly.

One fix they were saying was:
libraries/joomla/application/application.php line 533 to comment out

	//		$session->fork();
			$this->_createSession($session->getId());

But I'm not sure if they mean this will open the door for fixation attacks or stop them.

...and that fixes the problem, then this will take care of it without potentially opening your users to session fixation attacks

what does the word "[this]will take care of" mean.

the reason its so confusing is it appears they go into another fix to the situation without commenting this line out and by completely rewriting the application.php

They're explanation to apply this patch seems to be solely directed at IE, and in my humble opinion they do not explain on a tinkerer level how to correct the problem effectively without knowing how to code.

And I'm not experiencing this in IE, but in all browsers. And for the record I don't use IE unless I have to. I use Firefox.

If your willing please take a look at it.

Hi Andrew,
If you check the first link you posted, just beneath the patch-file, there's a file to a complete session.php file. Download this file.
Start your favorite ftp client, and head to .../libraries/joomla/session/ - where ... is the path to the root of your website.
Rename the session.php file to session.old.
Upload the session.txt file.
Rename the session.txt file to session.php.
See if this solves the issue.

/Fredrik

Downloaded session.txt
Used Filezilla navigated to /libraries/joomla/session/
renamed session.php to xsession.php
renamed session.txt to session.php

In Firefox first submit attempt failed after user login. User was forced to logout.

Logged in 1st attempt / failed
Logged in 2nd attempt / successful
Logged in 3rd attempt / successful
Logged in 4th attempt / successful
Logged in 5th attempt / failed
Logged in 6th attempt / successful
Logged in 7th attempt / successful
Logged in 8th attempt / successful
Logged in 9th attempt / successful
Logged in 10th attempt / successful
Logged in 11th attempt / successful
Logged in 12th attempt / successful
Logged in 13th attempt / successful
Logged in 14th attempt / successful

Hi Andrew,
That would suggest the issue lies elsewhere :/
I'm afraid I'm running low on ideas at the moment. You could still resort to the hack I've posted earlier regarding disabling the tokenCheck, although it's perhaps not the ideal solution.

/Fredrik

searching...
disabling the tokenCheck
Disable tokenCheck
Chrono forums point only to this post.

searching...
tokenCheck
found 11 posts mainly pointing to this thread. Other post do not apply?

Please post direct link.

Also where can I change text of the error messages I've been getting? As I'd like to inform the user of the issue in the event of occurrence.

I've also created a post on the main Joomla! forums in an effort to get more information.
Please see: http://forum.joomla.org/viewtopic.php?f=432&t=550268

Hi Andrew,
Here's the link: http://www.chronoengine.com/forums/index.php?option=com_chronoforums&cont=posts&f=2&t=15864&p=40543&hilit=lazy+evaluation#p40543

/Fredrik