Strange session related behaviour

Hello

We are dealing with a strange situation on a new website that we are setting up. We have enabled both logins through community builder and Facebook (cb connect).

Case 1
When user logs in with his username and password (cb login module) his session respects the joomla configuration Session Lifetime.

Case 2
When user logs in with his facebook account (cb connect), the session never ends. Never means never! right now i have testes a user that was logged in 3 days ago, on a browser that i do not use and he is still logged in.

I suppose that this is not a matter of keepalive scripts that i have seen many people trying to solve, because if it was related to this, then the session would not end either for normal cb login.

Can you please advise?

Thank you in advance.

Your issue isn't caused by CB, but by how Joomla handles database session clean up. Joomla used to purge expired database sessions on every page load, but that was changed in 3.8.4 explained in more detail below. Basically they changed Database session garbage collection to be based off PHP session garbage collection and specifically depends on session.gc_probability being set. If it's set to 0 it means PHP session garbage collection will never happen and thus sessions never expire.

github.com/joomla/joomla-cms/pull/19548

A plugin was added at some point to help with this though. Within Extensions > Plugins be sure "System - Session Data Purge" exists, is published, and public access. If it isn't then database session data will never clear unless PHP session garbage collection is configured. In addition to this it has a probability setting. By default there's only a 1% chance a page load triggers a session clean up. You can adjust this within the plugin using "Probability" and "Divisor" parameters.

Alternatively the recommended approach is to switch to PHP based session handling within Joomla global configuration change "Session Handler" from Database to PHP and just let PHP handle sessions.

More than likely everything is already setup correctly and it's just the 1% probability not clearing the session. I don't think you have anything to worry about. If you need strict session clean up behavior you'll want to setup a CRON task to call Joomlas CI URL for session clean up (sorry, I don't know what it is).

Thank you for your reply Krileon.

Maybe i was not so clear on the issue explanation.

The problem exists when users login with their facebook account (cb connect plugin). Their session does not end.

If the user enters his user name and pass to login then the session works pretty fine.

Cb connect facebook login has this problem.

CB Connect cannot have any impact on sessions. CB does not manage sessions. The users session is still there because they left the site while logged in, the session expired, and is now waiting to be cleaned up by garbage collection behavior.

This applies to all login sessions as that's the behavior of Joomlas session clean up processes now. There's a 1% chance per page load that expired sessions will be cleared. I've confirmed this using regular login and CB Connect login sessions. You are only noticing it now because Joomla only recently changed this behavior in 3.8.4 and all releases before that the session garbage collection would be applied to every page load.

If you want sessions to always purge on every page load then edit "System - Session Data Purge" in Extensions > Plugins and set "Probability" and "Divisor" both to 100. I don't recommend doing this though. Again, the session is expired it just is not cleared from the database (which is 100% handled by Joomla). If you're using PHP sessions then be sure your PHP session garbage collection is even turned on via session.gc_probability and session.gc_divisor INI settings.

Thank you again for your reply Krileon.

Tested login with username and pass. Everyrhing works great. After the session expiration time i have set in joomla configuration the site asked me to login again.

Tested on administrator area, the admin is logged out and he is asked to relogin.

Tested facebook login (cb connect). The session never ends for the user. After 30 minutes he can still post, edit do anything he wants. Session is not expired. It is not a matter of garbage. The user did not close the page and left. I was just sitting there for 30 minutes waiting to see if the session will expire.

Using PHP sessions

local php ini:
session.gc_probability=1
session.gc_divisor = 100

System - Session Data Purge enabled 1/100
Enable Session Data Cleanup: YES
Enable Session Metadata Cleanup: YES

Is there a chance that facebook does not allow the session to expire by setting browser cookies or something like that when logging in?

Unfortunately i do not have another site to test. This happens only to my site?

Tested facebook login (cb connect). The session never ends for the user. After 30 minutes he can still post, edit do anything he wants. Session is not expired. It is not a matter of garbage. The user did not close the page and left. I was just sitting there for 30 minutes waiting to see if the session will expire.

Your test will never work like that. They won't expire due to keepalive (believe default is it refreshes every 5 minutes). It's just sitting there refreshing its timestamp. If the cookie for the session still exists and the session still exists in the database or in PHP they'll still be logged in as well. This means you need to completely close the browser, let the session expire, then open your browser. Assuming garbage collection triggered that session won't exist anymore and they won't be logged in.

session.gc_probability=1
session.gc_divisor = 100

System - Session Data Purge enabled 1/100

This means there is a 1% chance session garbage collection will trigger on a page load.

Is there a chance that facebook does not allow the session to expire by setting browser cookies or something like that when logging in?

No, again CB has no control over sessions.


This isn't really an issue that needs solving or even an issue. Simply leave the sessions alone and let Joomla handle them in time.