Logging into the Backoffice 7.3 loses UMB_UCONTEXT cookie.
Hi,
So I upgraded my solution from Umbraco 7.2.8 to 7.3.0 and ran into an issue. I could sign into the back office fine, but it would log me out randomly after a minute or two.
To remedy this issue, I had to add a key to the security section of the umbracoSettings.config called authCookieDomain.
My question is if this is a bug or expected behavior? If this is expected behavior it should probably be documented as a breaking change as I have spent days trying to track this issue down. It very well could just be a problem with my install as well.
Actually, I just found this issue on the issue tracker with a pull request, so I assume this will be fixed in 7.3.1. http://issues.umbraco.org/issue/U4-7118
I'm reverting this fix. I don't believe ever setting the domain to literally be the string "FALSE" is correct. In some server side frameworks, setting the domain to be a boolean false might work but setting it to a null value is the correct and yields the expected result. This change will be reverted.
running on localhost without specifying a domain will not include the domain in the response which is the right behavior.
The symptoms of this problem may be because people are running multiple tests sites on localhost at one time and if one site cannot decrypt the same cookie, it probably deletes it.
Logging into the Backoffice 7.3 loses UMB_UCONTEXT cookie.
Hi,
So I upgraded my solution from Umbraco 7.2.8 to 7.3.0 and ran into an issue. I could sign into the back office fine, but it would log me out randomly after a minute or two.
Digging into the source code, it was because the UMB_UCONTEXT cookie's domain was null. This was occurring because I had the umbracoSetting keepUserLoggedIn set to true and that would cause the cookie to be refreshed here: https://github.com/umbraco/Umbraco-CMS/blob/dev-v7/src/Umbraco.Web/Security/Identity/GetUserSecondsMiddleWare.cs#L86 with a null domain.
After digging further into the source code, I noticed it was trying to pull that AuthCookieDomain from the umbracoSettings.config here: https://github.com/umbraco/Umbraco-CMS/blob/dev-v7/src/Umbraco.Core/Configuration/UmbracoSettings/SecurityElement.cs#L44.
To remedy this issue, I had to add a key to the security section of the umbracoSettings.config called authCookieDomain.
My question is if this is a bug or expected behavior? If this is expected behavior it should probably be documented as a breaking change as I have spent days trying to track this issue down. It very well could just be a problem with my install as well.
Thanks!
Actually, I just found this issue on the issue tracker with a pull request, so I assume this will be fixed in 7.3.1. http://issues.umbraco.org/issue/U4-7118
These threads may be related to this one:
Hi, this 'fix' is not the correct fix and actually causes more issues:
http://issues.umbraco.org/issue/U4-7118#comment=67-24278
I'm reverting this fix. I don't believe ever setting the domain to literally be the string "FALSE" is correct. In some server side frameworks, setting the domain to be a boolean false might work but setting it to a null value is the correct and yields the expected result. This change will be reverted.
running on localhost without specifying a domain will not include the domain in the response which is the right behavior.
The symptoms of this problem may be because people are running multiple tests sites on localhost at one time and if one site cannot decrypt the same cookie, it probably deletes it.
This is now an issue in Umbraco 7.3.2: http://issues.umbraco.org/issue/U4-7464
I have a sneaky suspicion this is related to BST, where the cookie date stamp isn't taking into the consideration the extra hour :-)
Setting the Timeout to 80min, and that'll give you the 20min of login magic
is working on a reply...