Login/user session issues after upgrade from 2.8 to 3.1.1

Login/user session issues after upgrade from 2.8 to 3.1.1

yazan Jay van Santen -
Yanıt sayısı: 20

After the upgrade, we're experiencing a problem with user logins/previous sessions.

The behavior is this: when a user accesses the site for first time, they are logged in apparently as the previous user on the system.

And, when a user accesses the site after having created a login, they are actually automatically logged in as the previous user.

I'm not a Moodle expert, have PHP background but am supporting a friend.

The setup is pretty straightforward. He's a consultant and uses Moodle to support the online portion of his classes -- 1 class at present.

We use one of the standard themes and have a couple add-ons -- one for PayPal and one for certificates.

There are multiple Moodle test sites in the directory, but this is the only one active. There aren't any shared databases or users with any of the test instances.

Any thoughts? TIA


Puan ortalaması: -
Jay van Santen yanıt olarak

Re: Login/user session issues after upgrade from 2.8 to 3.1.1

yazan Ken Task -
Particularly helpful Moodlers 'ın resmi

There's been only one time where I've witnessed the same behavior.   School computer lab where every system was setup with a 'buddy card' - one computer, 2 users had their own KB,M,M.   If both users used the same browser, they were sharing the cookies in the shared browser.   Which ever student logged on first was also what the other student saw on their screen.

So are the users accessing the Moodle in some similar setup?

Are users logging out? or are they just closing the browser window?   Are browsers set to remove cookies, history, etc. on close?   How are users authenticating?

On the server end, sessions are stored in moodledata/sessions are approx 1K files.   You can manually remove them all - leave the sessions directory.   When you do that, anyone logged on will be forced to re-login on their next click.

Also, after upgrades, it's usually a good idea to purge caches.   That can be done by Moodle Admin UI but sometimes one needs to get nasty with that.   One can also manually remove the contents of moodledata/cache/ and moodleata/localcache/ They will rebuild as users access and click around.

That's about the only thoughts I have. :|

'spirit of sharing', Ken


Puan ortalaması: -
Ken Task yanıt olarak

Re: Login/user session issues after upgrade from 2.8 to 3.1.1

yazan Jay van Santen -

Ken --

     Thanks for your thoughts.

     Let me identify the progress that we've made. First, I elaborated a bit on the upgrade process, so that I had a test site in addition to the live site -- a combination of migrating and exporting.

      What I didn't do, and now realize that I needed to and have done since, is to purge the cache or delete the folders when that occurs. Those cache files, after migration, clearly refer to the old database connection.

       When we've instructed users to shut down and also to remove their browser's cache. That seems to have resolved most issues. We're still working with a couple on their specific install.

        Jay

In response to your specific questions, for lurkers, all students are remote and working on distinct machines. So, each machine is really setup according to their own personal preferences. This isn't a classroom setting, but I'll take into consideration those issues.

Puan ortalaması: -
Jay van Santen yanıt olarak

Re: Login/user session issues after upgrade from 2.8 to 3.1.1

yazan Jay van Santen -

Unfortunately, we're still having problems with session management -- with the user logon changing midsession.

Any additional thoughts would be appreciated.

Jay

Puan ortalaması: -
Jay van Santen yanıt olarak

Re: Login/user session issues after upgrade from 2.8 to 3.1.1

yazan Ken Task -
Particularly helpful Moodlers 'ın resmi

First, suggest double checking:

http://site/admin/search.php?query=session

Session Handling
Timeout is set by default to 2 hours.
Cookie prefix conflict for some users ... those would affect admin level users
that login to two different moodle installs at the same time using same browser.

Is Cookie Path set to anything other than default?
How about Cookie domain?

In
http://site/admin/tool/task/scheduledtasks.php

There is a task for 'cleanup old sessions'.  Defaults set to run ASAP.
It's like a cron job set to run at any minute, of any hour, of any Day, etc..
It's called by the main cron job.
How often are you running cron?

Not sure what 'midsession' means.

Am trying to understand ... User A and User B happen to login around 2PM (not exactly at same second, etc. but about 2PM).   Somewhere during their sessions, User A sees they are now User B?

Site running https or plain ole http?

If the above were true, it sounds like site might be vulnerable to session hijacking .... or some exploit involving the few students affected (you cannot control from where they connect ... so it could be a 'man in the middle' type of exploit).

Now am NOT saying that's what it is, just thinking outloud with what  information shared.

Am about out of ideas.

'spirit of sharing', Ken


Puan ortalaması: -
Ken Task yanıt olarak

Re: Login/user session issues after upgrade from 2.8 to 3.1.1

yazan Jay van Santen -

Ken --

       Thanks again for responding.

        Yes, that's precisely what we're seeing right now -- admin is logged in and midsession is logged on as another user, with only the permissions for that user.

        I'll review the other suggestions that you've made.

        Jay

Puan ortalaması: -
Jay van Santen yanıt olarak

Re: Login/user session issues after upgrade from 2.8 to 3.1.1

yazan Jay van Santen -

Since this behavior immediately follows an upgrade, I think that it would be an unlikely co-incidence that it were the object of a cyber attack.

Puan ortalaması: -
Jay van Santen yanıt olarak

Re: Login/user session issues after upgrade from 2.8 to 3.1.1

yazan Ken Task -
Particularly helpful Moodlers 'ın resmi

Am still having a hard time truely understanding ....

Admin user logged on ... using workstation located in Jaboink.   Not on the same physical network as 'midsession' user (confusing that user would be called that since this is an issue with sessions).

'midsession' user logged on ... using a workstation located in OUTER jaboink - NOT on the same physical network as Admin user .... at the Starbucks downtown OUTER Jaboink.

Yet you say, Admin or midsession users after logging on and doing stuff, *see* they are suddenly the other user?

Don't know how a sessions file in Moodle could be assigned to a different user while both logged on cause that would involve updating the cookies on each users machine as well.

???????

'spirit of sharing', Ken





Puan ortalaması: -
Ken Task yanıt olarak

Re: Login/user session issues after upgrade from 2.8 to 3.1.1

yazan Jay van Santen -

Ken --

     Thanks again for sticking with this.

     Yes, that's a good scenario.

      I don't know if both users are on the site at the same time. But, user A (either admin or student) is in the system, and at some point they change to a different user.

       OK, one more wrinkle that may explain this behavior.

       First, to review:

1.    Original Site A is copied to Site B on same server (the migration phase) with A's DB backed up and restored to B, and A's MoodleData is copied to a new folder for B .

2.    Site B config.php is modified with new mappings. The utility to replace the old site address with new is run to update B's DB.

3.    Site B is upgraded, by putting in maintenance mode, renaming Moodle 2.8 folder, installing Moodle 3.1 in 2.8 folder, and taking out of maintenance mode.

NOTE that B's MoodleData's 2 cache folders have not been cleared, retaining significant information from the A instance.

Then, the user adds new content.

The resulting behavior apparently is that the old content works fine. But, when users access the new content, they experience the behavior.

So, I wonder if it's not a session issue, but an ownership issue of assets. I'm not familiar with Moodle's handling of ownership, but I wonder if that could be the cause of the behavior.

Even after clearing cache on the server and on client machines, the undesired behavior recurs after a while. It operates fine for a bit, and then the switching user behavior occurs. This to me suggests that it is not a session issue, per se, but an asset ownership issue.

Is there a way of modifying the database to address this?

Thanks

Puan ortalaması: -
Jay van Santen yanıt olarak

Re: Login/user session issues after upgrade from 2.8 to 3.1.1

yazan Ken Task -
Particularly helpful Moodlers 'ın resmi

Since both of the sites are on the same physcial server (thus same URL except the directory) think i'd make sure the cookie prefix is different for both sites.

For Site A: set cookie prefix to SITEA

For Site B: set cookie prefix to SITEB

In both instances, *manually* remove the contents of:

SITEA moodledata/cache/ and moodledata/localcache/.

SITEB it's moodledata/cache and moodledata/localcache/

If your usage of the admin search and replace tool was affective and properly used, all the links in SITEB should point to http://host/SITEB/

One way to find out ... do a dump of the DB for SITEB.   That action puts all it's content into an .sql file which is really an ASCII (text) file.    Then using any tool you have to open ASCII files and that has SEARCH, search for 'http://host/SITEA/' ... include the http://host/ in front and the trailing slash at the end.   That search should return no hits.

The users logins/passwords on both sites should be the same since SITEB is a clone of SITEA and the only difference is moodle version + /pathsto/ + URL's.

As far as I know, all web services basically use an operating system user defined as the owner of the web server processes ... ownerships and permissions on files all point to that owner.   Regardless of who the user is in Moodle be it student or admin level user, their request of anything web based passes to the app as that web server user.   The only ID's (names, permissions to do things) to Moodle users are contained in the DB and handled by the DB for every site.

NO individual user of a Moodle has actual rights over anything in a Moodle code/data by their login name.   That's all done with rolls.

So this thing you are calling 'asset ownership issue'?

And, I'd do one more thing to make sure that DB isn't being used for sessions.   In each sites config.php file add a line:

$CFG->dbsessions='0':

That will prevent either site from using DB for sessions.  Can't reset that via the Moodle Admin UI.

'spirit of sharing', Ken




Puan ortalaması: -
Ken Task yanıt olarak

Re: Login/user session issues after upgrade from 2.8 to 3.1.1

yazan Jay van Santen -

Ken --

      Thanks so much for your careful description. I'll try these suggestions out and see if we're able to resolve the problem.

      I've recognized in this process that I can do some simple tasks in Moodle, but I don't work in it more than a few hours a year. This clearly isn't enough to address problems in a timely manner when they arise.

      I wondered if you currently consult and might be interested in taking on a client? Matt's needs are not that great -- he runs online courses for his consulting practice. But, I would feel comfortable with him having someone with good background in Moodle behind him.

      Many thanks!

Puan ortalaması: -
Jay van Santen yanıt olarak

Re: Login/user session issues after upgrade from 2.8 to 3.1.1

yazan Ken Task -
Particularly helpful Moodlers 'ın resmi

Moodles do require some maintenance and monitoring.   From what you've described you did ... I can't find any fault/error/mis-step.   The only other thought is authentication.   Do both sites use the same authentication method/plugin?

I'll PM you concerning the offer.

'spirit of sharing', Ken


Puan ortalaması: -
Jay van Santen yanıt olarak

Re: Login/user session issues after upgrade from 2.8 to 3.1.1

yazan Sean Marx -
Testers 'ın resmi

Hi Jay

I have come across the same problem as the one you have described. A company contacted me to take a look at their Moodle site (Moodle 2.9).

  • Once you have logged in, the site homepage is displayed with the log in link still available (top right)
  • If you type domain/my - you find that you are logged in, but not always with the user account you logged in with
  • Sometimes you can log in, and the dashboard page displays. Move to another page and the user (top right) changes to another person


What I have done so far:

  • I checked, as Ken suggested, that the scheduled tasks are running
  • I deleted the localcache, cache and session directories in moodledata
  • Deleted installed plugins that were not for this version of Moodle
  • Had a look at the content of the session file, and could see the file is updated


If you have solved this problem, please let me know.

Thanks

Sean



Puan ortalaması: -
Sean Marx yanıt olarak

Re: Login/user session issues after upgrade from 2.8 to 3.1.1

yazan Ken Task -
Particularly helpful Moodlers 'ın resmi

@Sean ... Jay might be long gone (profile no longer available in Moodle).   Anyhoo ... Jay did grant me access to the site and after investigation, if I re-call correctly, the recommendation was to upgrade the Moodle.    They decided not to upgrade, rolled the site back to previous version, and the problem went away (not fixed of course).   BTW, did the investigation for free.

Now to your problem ... there was another discussion similar and a poster suggested checking into an apache proxy, a re-write rule,  or any such thing in front of the Moodle that might be caching.

Got command line access to anything that has curl?

curl --proxy http://[yourserver]:80 https://google.com

Use https if your server running https.

If the response is something like:

curl: (56) Received HTTP code 405 from proxy after CONNECT

Your server isn't a proxy.  405 means (method not allowed) the first server in the curl command (your server) would not act as proxy to the other url.

If your server has re-write rules, there are sites 'out there' that will allow you to copy and paste your rules and it will check those rules.

'spirit of sharing', Ken

Puan ortalaması: -
Ken Task yanıt olarak

Re: Login/user session issues after upgrade from 2.8 to 3.1.1

yazan Sean Marx -
Testers 'ın resmi

Hi Ken

Really appreciate your prompt response and help. I added the line below to the config file and that seems to be holding for now. I'll only really know when the server get's busy.

I don't have command line access, but will pass your suggestion on the client. 

$CFG->tracksessionip= True;


This is also free work, but it's good to give back.


Related post: https://moodle.org/mod/forum/discuss.php?d=251472&mode=1 

Puan ortalaması: -
Sean Marx yanıt olarak

Re: Login/user session issues after upgrade from 2.8 to 3.1.1

yazan Ken Task -
Particularly helpful Moodlers 'ın resmi

Good find!  Hadn't seen that one.

Interesting ...
that variable isn't stored in mdl_config table of the Moodle.
But, even with it on, moodle does log to mdl_sessions.   What's more,  even if one
has in config.php db sessions = 0 ... i.e.,, don't use DB for sessions, moodle still logs to mdl_sessions for other purposes, I guess.

There are files in moodledata/sessions/

In playing around with this on a tinker site where there were only 2 users
accessing that had accounts, I watched the moodledata/sessions/ directory ...
literally ... using:

cd /pathtomoodledata/sessions
watch "ls -l"

Watched files being created.   And when one of the test users logged out,
one could see the session file that was being updated ... actually got smaller.

In one of the session files, the one with the fewest number of bytes ... like 115 ... noted this ... in clear text "has_timed_out"

Also, never noticed this before, in the session files there are 'permissions' (abilities) ...
like moodle/user:viewdetails.

Hmmmm .... finding logged on as a student, the session file should have something
that makes that file uniquely ID'd as belonging to a student but hadn't seen something that stands out.
The following were not a student ... but wonder if there is something one could
search that would ID the session file belonging to a 'typical student'.

moodle/user:editownmessageprofile
report/usersessions:manageownsessions
moodle/user:changeownpassword

Dunno that this would help anyone ... but it might be useful in trouble shooting ... if one has command line access, that is.

'spirit of sharing', Ken


Puan ortalaması: -
Ken Task yanıt olarak

Re: Login/user session issues after upgrade from 2.8 to 3.1.1

yazan Sean Marx -
Testers 'ın resmi

Hi Ken

Just some feedback. Sadly $CFG->tracksessionip= True; did not stand up under a number of concurrent connections.

Looks like the client will be upgrading to Moodle 3.1.

Thanks again for the help.

Sean

Puan ortalaması: -
Sean Marx yanıt olarak

Re: Login/user session issues after upgrade from 2.8 to 3.1.1

yazan Ken Task -
Particularly helpful Moodlers 'ın resmi

Maybe it's time to install mysqltuner.pl

and run it on the DB for the site.

http://mysqltuner.com/

Session information ... even if set to use files in moodledata/sessions is recorded in DB.   Am wondering if max_connections to the DB isn't too low and that's affecting sessions - dropped connection to DB.

That's a guess, of course.

'spirit of sharing', Ken

Puan ortalaması: -
Ken Task yanıt olarak

Re: Login/user session issues after upgrade from 2.8 to 3.1.1

yazan Wissam Nahas -

Dear All,

Actually we had the same issue with "mdl_sessions.idb" table. We did the upgrade from 2.9.4 to 3.1.3 last Dec. 28, 2016. Everything was smooth until our semester started on Jan. 24. On Jan 31st our Moodle crashed with "error connecting to database" message. We noticed that the reason behind this was a tremendous increase of this table's size .

We deleted all the logs of this table and we are monitoring its size since Feb. 1. The result was an increase of 23 GB today in the table size within 10 days.

Is this normal? Is there a way we can clear the logs automatically? Are there any changes in the table structure in Moodle 3.x, since we did not face any problem on legacy versions.

Moreover, if we enable "limitconcurrentlogins" to 1, will this reduce the table size?

By the way, we are still running the same number of courses and users (3000+ courses & 15,000+ users) with no increase.


Please advise,
Wissam Nahas

Puan ortalaması: -
Wissam Nahas yanıt olarak

Re: Login/user session issues after upgrade from 2.8 to 3.1.1

yazan Ken Task -
Particularly helpful Moodlers 'ın resmi

Have to chuckle ... sorry ...  is there such a thing as 'normal' when it comes to Moodle? ;)

Check your site setting for "Manage Log Stores"

http://yoursite/admin/settings.php?section=managelogging

External and Legacy logs are turned off on a fresh install of a 3.1.x

Standard log settings ...

Keep Logs for ... number of days ... default is never delete.

Is your site allowing guest login?

How often are you running cron?

There is one other item to check ... task for Log Table Cleanup -  could be run in a separate script/cron job.

'spirit of sharing', Ken


Puan ortalaması: -