Doing some further login/cookie investigation, discovered a few AJAX files that weren't setting the session and yet the were pulling in the user class resulting in the cookie being regenerated when the user class detects no session and then starts it. Going to fix those and then carry on investigating, it's entirely possibly they were one part of the issue since they were messing with the session when not needed. Keep your fingers crossed.

*fingers crossed*^_^

Right, the fixes are up. Do let me know if you continue to see logouts.

1 hour ago i was logged in, now i was logged out again. But maybe that was legacy, we'll see tomorrow for sure xD

Quoting: Termy1 hour ago i was logged in, now i was logged out again. But maybe that was legacy, we'll see tomorrow for sure xD

I am curious to know if you manage to figure out anything in particular that does it. Would like to narrow it down now the above issues are solved.

So i was just logged out again - i took a look at the cookies this morning and noticed that gol-device and gol_session were not there despite still being logged in?!
I've now saved the cookies and next time i'm logged out i will try loading them again and see if they get deleted again.

Quoting: Liam Dawe

Quoting: Termy1 hour ago i was logged in, now i was logged out again. But maybe that was legacy, we'll see tomorrow for sure xD

I am curious to know if you manage to figure out anything in particular that does it. Would like to narrow it down now the above issues are solved.

Ok, it seems that the site really is deleting gol-device and gol_session after a time. I was just logged out, the cookies were gone. I recovered the backup, reload the site - cookies deleted.

I would assume that the hash stored in this cookies is also stored somewhere on the server and deleted if they don't match or something like that?

Edit: i just tried editing the values of those two cookies - no logout. But as soon as i also edited the value of the PHPSESSID cookie, i was logged out and the other two cookies were deleted.
I then tried to only modify PHPSESSID, but that didn't log me out or delete the cookies.

So it seems all three cookies have to mismatch? I'm no Webdev, but maybe you can make something of this? ^^

Last edited by Termy on 28 November 2019 at 8:35 am UTC

Messing with the cookies won't do much, until your session expires and they're read again.

Still tracking where it happens, but since my fixes posted earlier it's not happened once to me personally when I saw it often. So it must be something you're doing, that I'm not where it happens.

Quoting: Liam DaweMessing with the cookies won't do much, until your session expires and they're read again.

Still tracking where it happens, but since my fixes posted earlier it's not happened once to me personally when I saw it often. So it must be something you're doing, that I'm not where it happens.

Well, it does do something: make the site delete the cookies ;)
If i modify the value of all three cookies (just changed the last digit) and then visit the site, gol-device and gol_session get deleted despite expiry set to 27-01-2020 and i'm no longer logged in.

Quoting: Termy

Quoting: Liam DaweMessing with the cookies won't do much, until your session expires and they're read again.

Still tracking where it happens, but since my fixes posted earlier it's not happened once to me personally when I saw it often. So it must be something you're doing, that I'm not where it happens.

Well, it does do something: make the site delete the cookies ;)
If i modify the value of all three cookies (just changed the last digit) and then visit the site, gol-device and gol_session get deleted despite expiry set to 27-01-2020 and i'm no longer logged in.

Yes, if you modify the gol_session cookie, the next time it is read when your session expires it will kick you out. It's supposed to do that ;)

Quoting: Liam DaweYes, if you modify the gol_session cookie, the next time it is read when your session expires it will kick you out. It's supposed to do that ;)

i would have assumed something like that.
But i just tried it - closing the tab, modify only gol_session - open a new tab and to to GoL - still logged in.
Or is the session kept alive based on IP?

Quoting: Termy

Quoting: Liam DaweYes, if you modify the gol_session cookie, the next time it is read when your session expires it will kick you out. It's supposed to do that ;)

i would have assumed something like that.
But i just tried it - closing the tab, modify only gol_session - open a new tab and to to GoL - still logged in.
Or is the session kept alive based on IP?

Can't remember exactly how it's done, but a session will expire by itself after a period of time. This isn't part of the issue though, still tracking what exactly is causing it.

Ok, can confirm, a while after modifying gol_session i was logged out ^^
Let me know if there is anything else i could provide to narrow it down

Quoting: TermyOk, can confirm, a while after modifying gol_session i was logged out ^^
Let me know if there is anything else i could provide to narrow it down

It's a very tricky thing to find, as for me it's now working fine. Haven't had a single logout since I fixed those AJAX calls not pulling the session.

I've added some extra logging to detect if there's any pages that don't get the session for whatever reason, to see if perhaps there's still a call somewhere that is missing it.

Without a confirmed method of getting it though (and I don't mean messing with cookies manually, has to be the site itself), it's extremely difficult to find.

Well, for me the confirmed method is "wait a day" - it seems to be roughly 24h, but definitely with some variation :/
I always call the main page first (https://www.gamingonlinux.com/ to be exact), no subpage. Is there any kind of browser log that could be of interest? Firefox' console doesn't seem to contain anything in that regard.

I do have some sort of an idea I'm trying now, I've been wanting to boost the cookie/authentication security for a while so I'm doing that now to possible kill two birds with one stone.

It's live, you will likely see a one-time logout now as I won't risk changing old cookies to new.

Do update me in a few days if you now see no logouts!

Edit: So far it seems stable, I've removed my own session and closed desktop/mobile browser - both keeping me logged in. Keen to see how it goes after a day or two,

Last edited by Liam Dawe on 28 November 2019 at 6:30 pm UTC

Quoting: Liam DaweIt's live, you will likely see a one-time logout now as I won't risk changing old cookies to new.

Do update me in a few days if you now see no logouts!

Edit: So far it seems stable, I've removed my own session and closed desktop/mobile browser - both keeping me logged in. Keen to see how it goes after a day or two,

nope, still getting logged out :(
First yesterday, i then cleaned the cookies once more, just to be sure - but now i was just logged out again :/

FWIW, I was also having login session issues a few weeks ago, but I could only reproduce it on one machine, and in a single browser (qutebrowser-git). I've since updated the browser, and I no longer have the issue (either because it was a bug that got fixed in the browser, or because Liam's session fixes worked for me)

Last edited by WorMzy on 1 December 2019 at 7:19 pm UTC

Ok, i'm just back in the office and my login from friday is still active on this machine. So it seems it's at least an improvement xD

Edit: Cancel that - logged out again :/

Last edited by Termy on 2 December 2019 at 8:32 am UTC