Php photo gallery TWG | JFUploader | TWG Flash upload | WFU | Forum

Get help for TinyWebGallery, the best image gallery. The forum is also home for the Joomla JFUploader, TWG Flash Uploader and the Wordpress flash uploader.
It is currently 28. Mar 2024, 17:15

This forum is readonly now. Please use the new forum if you don't find the answer to your question here. The new forum is at https://www.tinywebgallery.com/blog/forum/


All times are UTC + 1 hour [ DST ]




Post new topic Reply to topic  [ 12 posts ] 
Author Message
PostPosted: 6. Feb 2015, 21:09 
Offline

Joined: 8. Apr 2010, 20:22
Posts: 36
I have a client who has checked his Joomla login on the front end to be remembered. When he logs into the uploaded manager from the front, many time he will leave the screen open and inactive. Also he states the is not logging out and just closes the browser.

The Issue: The global configuration is set to log off after 15 minutes of inactivity, yet with the password remembered and closing the browser he is able to revisit the uploaded with out a login and stay active even after the default Joomla log off time. He said he never has to re-log in yet when he does try to log off it give him the Invalid Token Message. I explained that between the inactive time and the browser cache that is possible. However this clearly shows a security issue.

How can I explain this better or prevent the invalid token message?


Top
 Profile  
 
PostPosted: 11. Feb 2015, 16:16 
Offline

Joined: 8. Apr 2010, 20:22
Posts: 36
Does anyone know how to help me address this issue?


Top
 Profile  
 
PostPosted: 11. Feb 2015, 17:01 
Offline
Site Admin
User avatar

Joined: 1. Aug 2005, 12:53
Posts: 11232
The flash tries to keep the login alive because uploads can last longer than 15 min.
But if he closes the browser the session should be gone.

How is the joomla session set?

Best, Michael


Top
 Profile  
 
PostPosted: 11. Feb 2015, 17:21 
Offline

Joined: 8. Apr 2010, 20:22
Posts: 36
Customers discussion: Just to let you know. As discussed yesterday, I did simply close my website “window” while still logged in yesterday morning. I would have expected the site to “time me out”. When I went back to the site this evening I found that I was still logged in and had access to web portal folders without the need to type in a login or password. Furthermore, as with previously discussed, when I attempted to log out it was not allowed as the screen went completely white with the words “invalid token” in the upper left hand corner.

To make a long story short: the site is doing the exact same thing as previously described.

The current settings for the global config are: caching off, session lifetime: 15, session handler: none.

JFUploader version 3.2.2


Top
 Profile  
 
PostPosted: 11. Feb 2015, 17:26 
Offline
Site Admin
User avatar

Joined: 1. Aug 2005, 12:53
Posts: 11232
You where still logged into Joomla as well?


Top
 Profile  
 
PostPosted: 11. Feb 2015, 17:45 
Offline

Joined: 8. Apr 2010, 20:22
Posts: 36
The customer is logging in from the front end. I am logged in to the front end with his user/pass and logged into the back end with my own admin and I does not show visitor logged in. When I refresh the admin it shows 0 users logged in. Then after I refreshed again and it shows 1 admin.

I am able to see the front end editing tools as well.

Attachment:
screenshot showing no users logged in but 1 each are.jpg
screenshot showing no users logged in but 1 each are.jpg [ 133.94 KiB | Viewed 15088 times ]


Top
 Profile  
 
PostPosted: 11. Feb 2015, 21:37 
Offline
Site Admin
User avatar

Joined: 1. Aug 2005, 12:53
Posts: 11232
So you talk about Joomla login. How should the flash uploader be releated to this?


Top
 Profile  
 
PostPosted: 13. Feb 2015, 16:35 
Offline

Joined: 8. Apr 2010, 20:22
Posts: 36
Yes I can understand why you would ask that. My question is this: would the joomla login settings/credentials be overriden by the jfuploader settings? I am trying to troubleshoot the issue and looking for any support I can get. I guess since my client and I were only recognizing it during the usage with JFUploader tools I assumed it was originating there. If you confirm that is impossible I will look to the Joomla forum directly.


Top
 Profile  
 
PostPosted: 13. Feb 2015, 16:51 
Offline

Joined: 8. Apr 2010, 20:22
Posts: 36
Here is what I found googleing "joomla session timeout not working on front end"

Many Joomla pages (especially those with a form) will run a 'keepalive' javascript that periodically hits the server, keeping your session alive. This is because you wouldn't want your session to timeout while you were in the middle of filling out a form.

If you really want to disable this feature, there's a line in components/com_users/views/profile/tmpl/edit.php like: JHtml::_('behavior.keepalive');. You can remove that (or better, override the template file and remove it there) and your users will inconveniently time out even if they are trying to fill out a form.

So is the component keeping the user alive?


Top
 Profile  
 
PostPosted: 13. Feb 2015, 17:03 
Offline
Site Admin
User avatar

Joined: 1. Aug 2005, 12:53
Posts: 11232
Yes - I use this too. But only if you stay on the page.


Top
 Profile  
 
PostPosted: 13. Feb 2015, 18:38 
Offline

Joined: 8. Apr 2010, 20:22
Posts: 36
Do you recommend using the suggestion or have any other ideas on how to force the logout as expected?


Top
 Profile  
 
PostPosted: 13. Feb 2015, 18:45 
Offline
Site Admin
User avatar

Joined: 1. Aug 2005, 12:53
Posts: 11232
This would not work. You would have to disable this in the compeonent.

Search for
behavior.keepalive
in the code of JFUploader and than you find 2 places. One for the admin section and one for the frontend. Simply remove the whole line.

Best, Michael


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 12 posts ] 

All times are UTC + 1 hour [ DST ]


Who is online

Users browsing this forum: No registered users and 10 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
cron
powered by phpbb | Datenschutz/ Privacy policy