Wordpress Authentication Timeout Login Loop

[jason]

I have Wordpress handle my website and give the user an option to launch a dadabik app. Works really well but I found the iFrame a problem when navigating on mobile devices, so I have the dadabik wrapper call a page that uses javascript to pull the app out of wordpress and redirect to the homepage of the dadabik app:

<script type="text/javascript" language="Javascript">window.top.location.assign('//mywebsite.com/dadabik/index.php?function=show_static_page&id_static_page=1');</script>

This works well. However, if the user leaves the page dormant for a length of time, it times out and the page goes to the dadabik login page which is fine, however putting in proper credentials does not authenticate. The user has to close the browser and login entirely again which is not ideal.

Ideally I would like the page not to timeout at all or set it to a very long time like 8 hours. Would that be possible?

If not why does authentication not work after it times out? I am using Wordpress authentication and it is using the WP_USERS table to check credentials.

Thank you in advance!
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Your current DaDaBIK version

You are using DaDaBIK version 10.1-Manarola enterprise, installed on 05-15-2020 (installation code: 155165ebef2d6ed236), the latest version of DaDaBIK is 10.5-Manarola released on 01-14-2021

You are not running the last release of DaDaBIK, the release you are running might have bugs and security holes, see the official change log for further information. You can upgrade DaDaBIK here.

In case you want to upgrade to a more powerful edition (from Pro to Enterprise/Platinum, from Enteprise to Platinum) please contact us.
System info

PHP Version: 7.2.34

mysql version: 5.6.49-cll-lve

Web server: Apache

Client: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0

URL installation: http://castingsignin.com/dadabik/

 

[eugenio]

Hello,
the timeout depends on the session timeout, see:
https://www.youtube.com/watch?v=XEt4aexVs5Y&ab_channel=DaDaBIK

The wordpress integration works in this way: you login in wordpress and you are automatically logged in in DaDaBIK. You cannot use the wordpress login to authenticate using the dadabik login form (not sure if this is what you are trying to do, though).

Best,

 

[jason]

Thank you for the response Eugenio.

Unfortunately I'm on a shared server so my hosting provider won't let me modify the php.ini files so I can't control the timeout period as mentioned in your link.

The Wordpress login logs Dadabik in, but after a period of inactivity when I try to use the app it doesn't take me to the Wordpress login screen, it takes me to the Dadabik login screen, and this is where no credentials are accepted. The user has to somehow get back to the WordPress site, logout of WordPress, and login again to get into the application.

Is Dadabik timing out before Wordpress in this case? Why would it take me to the Dadabik login screen if I have Wordpress authentication enabled? How could I get Wordpress to time out before Dadabik?

 

[eugenio]

Wordpress might have a different timeout system and at the moment there is no way to redirect the user to the WP login page.
It would be a useful feature though, if you want you can add it to our canny https://dadabik.canny.io

Even if you can't access to php.ini, sometimes hosting providers allow you to have a custom version of php.ini in some ways, are you sure you can't?
Another solution is to change the parameter using ini_set; you could add your ini_set statement to your config_custom file.
config_custom is not designed to execute code, only to set parameters, but in this specific case I don't think there is any risk.

Best,

 

[jason]

My host provider locked the php.ini file and I tried to update it using putty and it still wouldn't work. I called the hosting provider and the recommended adding to a .htaccess file at the root folder

php_value session.gc_maxlifetime 604800

It did not work.

They also suggested adding a .user.ini file in the root folder but that did not work either.

Sorry, I have no experience with ini_set statements. so to implement your suggestion, in the config_custom.php file would I just add the line:

ini_set session.gc_maxlifetime 604800

or

ini_set('set session.gc_maxlifetime','604800');

 

[eugenio]

For 604800 seconds, it's

ini_set('session.gc_maxlifetime', 604800);

but it's not the only parameter that affects session duration, also check the other two parameters mentioned in the video I linked before.

Best,

 

[jason]

Thanks for all your suggestions Eugenio. I appreciate your help, this is a significant issue for my application.

I added to config_custom.php:
ini_set('session.gc_maxlifetime', 604800);
ini_set('session.gc_probability', 0);

I also added to the root folder of the webserver a .htaccess file and added the following lines:
php_value session.gc_maxlifetime 604800
php_value session.gc_probability 0

From the PHP.INI file I see that session.cookie_lifetime is set to 0.

session.save_path is set to '/opt/alt/php72/var/lib/php/session' which is write protected on my server and I cannot modify.

But still Dadabik logs out with about 15 min or so of inactivity and shows the Dadabik login screen, and won't accept any credentials.

You mention in your tutorial that "If, on your sever, there are different scripts using different values of session.gc_maxlifetime and they share the same folder for storing the session data, than the minimum value of session.gc_maxlifetime found will be used. To avoid these issue, you can use session.save_path "

Would you mind you expanding on this? I've looked at the PHP Runtime Configuration website but it is over my head.

 

[eugenio]

Hello,
I am not sure why you set gc_probability to 0 and I don't see the third parameter mentioned in the tutorial, but the best thing you can do is to ask your hosting provider IF you can extend PHP session timeout in your PHP application.
DaDaBIK doesn't treat sessions in any special ways so you just get the session timeout set in your environment.

Best,

 

[jason]

Totally realize this is outside of the scope of Dadabik and applies to web server PHP config. Appreciate your help but won't take anymore of your time with this. Just thought our discussion might help others.

I had set php_value session.gc_probability 0 so that garbage collection probability is 0 so the session would never expire and session.gc_divisor wouldn't even be a factor. Am I misunderstanding how that works?

 

[Matthijs]

Hi Jason, I also would like to run DaDaBIK in new screen to improve for mobile.

Just curious: you already found ways to avoid the logout?

Thanks!