Admin Keepalive Timer [Support Thread]

[DrByte]

My PC is not in any public place, and it will only be open when I am in front of my PC screen.

Question: Do you ever forget to log off before you go to lunch, to bed? Or is there a 0% possibility that anyone could ever access your PC without you present?

I want to stop this auto logout completely.
I just want to log on to my admin page, and then it should stay logged in until I log off.

Many sites, including banking sites, consider "when I have been away from my computer for too long" to be equal to logging off.
What do *you* consider to be the equivalent of "logging off"? Do you mean ONLY when you click the "log off" button?

Zen Cart is built around triggering logoff when you have walked away from the computer for a reasonable time, at which point the session will automatically expire and require a login again.


But a much more important point is this: What exact problem caused you to initiate this discussion in the first place? Is it because you don't like "logging in"? Or were you editing a product description without saving it periodically and lost the changes because the session had expired in the background?
The most important question here is why you're even asking the question. Can you describe that?

[Kjell Aa]

Question: Do you ever forget to log off before you go to lunch, to bed? Or is there a 0% possibility that anyone could ever access your PC without you present?

Does not matter, unless my house get burglarized at night.
0% possibillity, I have full control of all persons in my house. (myself and the wife)

Many sites, including banking sites, consider "when I have been away from my computer for too long" to be equal to logging off.

I am not a bank.

Zen Cart is built around triggering logoff when you have walked away from the computer for a reasonable time, at which point the session will automatically expire and require a login again.

This is exactly what I want to avoid.
That reasonable time is way too short, and I have to log in way too often.

But a much more important point is this: What exact problem caused you to initiate this discussion in the first place? Is it because you don't like "logging in"? Or were you editing a product description without saving it periodically and lost the changes because the session had expired in the background?
The most important question here is why you're even asking the question. Can you describe that?

I like to keep an eye on visitors to my website, and I have my PC on, and logged into the Who's online page.
I can then do other thing on my pc, or watch some tv or even get a beer.
When I return to see if there's anyone visiting my website, I have to log on again.

Kjell

[DrByte]

PCL Compliance.

In any case it seems to be a US requirement, I have never heard anything about this in Europe.

It's also applicable in Europe. But, let's not argue about that. You don't care about security, and you want to override it. See below:

Secondly, why do I need to create a separate Admin profile to leave the admin page open?
My PC is not in any public place, and it will only be open when I am in front of my PC screen.

Why? Just to ensure that no unauthorized person can hijack your site. But, again, you've said you don't care about security. So, read on:

I like to have the "who's online" page up just to pop in now and then to see if there's anyone there.

Kjell Aa

If you want to do that, it's fine, as long as you create a separate Admin profile with permissions to only that page, and then leave that admin user logged in someplace with a refresh every 15 min or less.
Just don't leave someone logged in to an admin ID that has permission to access all the other parts of your admin.

Third, where excactly do I put "Updating Manually" ?

You said you want the Who's Online page to stay up. To do that, open the Who's Online page, and notice that on the top right corner (assuming you're using the latest version of Zen Cart) there's an auto-refresh interval selection which offers choices of between 5 seconds and 10 minutes.
When you do that, it will keep refreshing before a non-activity timeout can occur, thus it will be always logged in.
And, for the sake of other readers of this discussion, that also means that anyone who walks by the computer will have complete access to your entire store's admin (according to whatever user profile you're logged in with) and can engage in unsupervised activity in your admin even if you're not present. The onus is on you to calculate that risk and any liability associated with it.

[Kjell Aa]

Just to ensure that no unauthorized person can hijack your site. But, again, you've said you don't care about security. So, read on:

I do care about security.
Where do I say otherwise?

My PC is in my home, and security is taken care of through other means.
I don't know how this is where you are located, but up here, "your home is your castle" applies.

Kjell

[jazzman346]

Yes, this has been an issue for yonks and was first mentioned in this thread in Sept 2013.

I have several ZC 1.5.4 installs on my local dev server (PHP 5.5.9, Apache 2.4 etc, Ubuntu OS, etc) and it happens only on one site, the others are not giving me the error. I did core file comparisons left, right and center but can't pin-point the cause of this annoying error. All the core files in admin are the same in all sites.

Now I am thinking that there may be a clash with some other jscripts (from installed mods) which could produce that message..... so my next move will be to (temporarily) kick out all other non-core scripts from the admin/includes/javascript folder, test without them and add them back one by one. Tedious, but it may throw a light on this .... eventually.

I'm getting to this discussion a few months later but I hope it's useful to others.

I've just implemented the Keepalive Timer module in the admin area and I had the same problem where the keepalive.php page was being called through ajax and kept falling 5 times until the TEXT_KEEPALIVE_SERVER_UNREACHABLE_MESSAGE1 pop-up.

I found it has to do with the $.ajax timeout value set to 450ms on line 170 in the /admin_area/includes/javascript/jquery.idletimeout.js file.

Increasing that value to 3000 (3 seconds) solves it for me.

@DrByte I'm wondering if calling the keepalive.php every minute during 10 minutes isn't defeating the purpose of having a 15 minutes session? Every time the keepalive.php script is being called, I see the expiration time on the session increase.

If "idleAfter" is set to 600 seconds (10 minutes) before actually being defined as idle, it means the actual session still has 15 minutes to go. So, one can leave its computer idle for 10 minutes and still have an active session expiring in 15 minutes for a total of 25 minutes?

I may need to tweak it a little, the company I work for are pretty serious about PCI. Thanks for the module!

[DrByte]

I'm getting to this discussion a few months later but I hope it's useful to others.

I've just implemented the Keepalive Timer module in the admin area and I had the same problem where the keepalive.php page was being called through ajax and kept falling 5 times until the TEXT_KEEPALIVE_SERVER_UNREACHABLE_MESSAGE1 pop-up.

I found it has to do with the $.ajax timeout value set to 450ms on line 170 in the /admin_area/includes/javascript/jquery.idletimeout.js file.

Increasing that value to 3000 (3 seconds) solves it for me.

@DrByte I'm wondering if calling the keepalive.php every minute during 10 minutes isn't defeating the purpose of having a 15 minutes session? Every time the keepalive.php script is being called, I see the expiration time on the session increase.

If "idleAfter" is set to 600 seconds (10 minutes) before actually being defined as idle, it means the actual session still has 15 minutes to go. So, one can leave its computer idle for 10 minutes and still have an active session expiring in 15 minutes for a total of 25 minutes?

I may need to tweak it a little, the company I work for are pretty serious about PCI. Thanks for the module!

Ya, I've been meaning to look at that further. It probably should only do the ajax ping if the user gets the popup and says "ya, i want to continue working".
Definitely open to code-change suggestions if you've got time to look into it.

[jazzman346]

Ya, I've been meaning to look at that further. It probably should only do the ajax ping if the user gets the popup and says "ya, i want to continue working".
Definitely open to code-change suggestions if you've got time to look into it.

Good point! I didn't think about changing the code this way but I'll come back to it. I just had too many things to work on beside the idle timeout. My goal will be to create a session timeout into the Front End within a month or two, feature request from my boss.

So right now, beside changing the jquery.idletimeout.js to 3 seconds, I've set the Admin Session Timeout to 300 seconds (5 minutes).

I've also changed line 84 of the keepalive_module.php file to :

Code:

warningLength: <?php echo SESSION_TIMEOUT_ADMIN-70; ?>, // countdown timer width remaining session time minus polling time (last keepalive call) + 10secs buffer

That way, I do respect the 15 minutes PCI specs and it seems to work fine. Of course, I'll get feedback from the real admins in the next few weeks.

[jazzman346]

Following my last post, I proceeded with my latest release including the Keepalive timer module. It was working so well for me for the last three weeks so I was certain there would be no issue. Unfortunately, there is one -> Admin Profiles. I'm a super user, I can access any pages ... not the regular users. As a result, they get the "We are unable to connect to the server. [...]" pop-up after 5 failed requests (5 minutes) as the keepalive.php page called through AJAX always returns the denied page for them.

So, the fix for this is simple. We need to put it in the exception pages array on line 49 of the /admin/includes/init_includes/init_admin_auth.php in V1.5.5

Code:

if (!in_array($page, array(FILENAME_DEFAULT,FILENAME_ADMIN_ACCOUNT,FILENAME_LOGOFF,FILENAME_ALERT_PAGE,FILENAME_PASSWORD_FORGOTTEN,FILENAME_DENIED,FILENAME_ALT_NAV,FILENAME_KEEPALIVE)) &&

Then in /includes/filenames.php we need to add the corresponding constant :

Code:

define('FILENAME_KEEPALIVE', 'keepalive');

[torvista]

All the language constants used by this/in ZC156 are defined in the code:

PHP Code:

if (!defined('TEXT_TIMEOUT_WARNING')) define('TEXT_TIMEOUT_WARNING', '**WARNING**'); 


1) I assume the correct place for the translations is /extra_definitions?

2) Is this practice something that will be implemented in the future, or it's a one-off to simplify installation of this particular plugin?