[SOLVED] The Web UI forces me to re-login 'constantly', why?

[pan!c]

I'm on a fresh Proxmox install and I get logged out from the GUI every few minutes. Can I configure the session timeout somewhere?


Time/date is OK on my system.

root@pve:~# timedatectl
               Local time: Sat 2019-12-28 23:38:40 CET
           Universal time: Sat 2019-12-28 22:38:40 UTC
                 RTC time: Sat 2019-12-28 22:38:40
                Time zone: Europe/Zurich (CET, +0100)
System clock synchronized: yes
              NTP service: active
          RTC in local TZ: no

 

[dietmar]

Maybe a problem with your browser (or some plugin removing cookies?) ...

 

[pan!c]

No. It would affect other sites and services if I had such plug-ins. But it seems that it magically went away. Very strange.

 

[PlOrAdmin]

I see you have a solution. Just letting you know I've noticed behavour differences between Chrome and Firefox. I prefer Chrome to administer PVE.

 

[liquidox]

I also notice I have to re-login into the GUI quite often, at least once a day. I primarily use Firefox. Is there a timeout setting somewhere?

 

[t.lamprecht]

Normally a ticket is generated, this is valid for 2 hours. The webinterface renews (extends) the ticket every 15 minutes - so if you keep the webinterface open, and have no plugin/browser stuff - e.g., which blocks the requests if the tab is in the background - you should stay logged in indefinitely.
If you close the browser the renewal extension cannot happen and you may get logged out after some time, though.

 

[liquidox]

Normally a ticket is generated, this is valid for 2 hours. The webinterface renews (extends) the ticket every 15 minutes - so if you keep the webinterface open, and have no plugin/browser stuff - e.g., which blocks the requests if the tab is in the background - you should stay logged in indefinitely.
If you close the browser the renewal extension cannot happen and you may get logged out after some time, though.

Generally the PC with the GUI open goes to sleep several times during the day, easily over 15mins. Would it be possible to change this 2 hours setting somewhere? I don't consider a much longer ticket validity as a security issue.

 

[t.lamprecht]

You'd need it to sleep more than circa 1 hour and 45 minutes (worst case) as else the ticket is still valid and renewing should kick in again...

Would it be possible to change this 2 hours setting somewhere?

No, this is not straight forward to change.

 

[liquidox]

You'd need it to sleep more than circa 1 hour and 45 minutes (worst case) as else the ticket is still valid and renewing should kick in again...



No, this is not straight forward to change.

Ok, thanks!

 

[skally]

Too future readers, managed to fix this by editing the JS of proxmox that actually sets the cookie.
This file: /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js

Find the line that handles the auth cookie and change it from this:

        setAuthData: function (data) {
            Proxmox.UserName = data.username;
            Proxmox.LoggedOut = data.LoggedOut;
            // creates a session cookie (expire = null)
            // that way the cookie gets deleted after the browser window is closed
            if (data.ticket) {
                Proxmox.CSRFPreventionToken = data.CSRFPreventionToken;
                Ext.util.Cookies.set(
                    Proxmox.Setup.auth_cookie_name,
                    data.ticket,
                    null,
                    '/',
                    null,
                    true,
                    'lax',
                );
            }

To this:

        setAuthData: function (data) {
            Proxmox.UserName = data.username;
            Proxmox.LoggedOut = data.LoggedOut;
            // creates a session cookie (expire = null)
            // that way the cookie gets deleted after the browser window is closed
            if (data.ticket) {
                Proxmox.CSRFPreventionToken = data.CSRFPreventionToken;

                var expires = new Date();
                expires.setDate(expires.getDate() + 365);

                Ext.util.Cookies.set(
                    Proxmox.Setup.auth_cookie_name,
                    data.ticket,
                    expires,
                    '/',
                    null,
                    true,
                    'lax',
                );
            }

This example creates a new variable called "expires" which we then set proxmox to use instead of null for the date, since this creates a cookie that expires in 1 year.

Yeah I get the session cookie thing for a security standpoint and enterprise perspective, but I think you should have the option to enable saving of login sessions regardless. If admins want to configure the session cookie method for their enterprise users, they can, but home users like myself should be able to select between the two regardless.

 

[t.lamprecht]

Too future readers, managed to fix this by editing the JS of proxmox that actually sets the cookie.
This file: /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js

Find the line that handles the auth cookie and change it from this:

        setAuthData: function (data) {
            Proxmox.UserName = data.username;
            Proxmox.LoggedOut = data.LoggedOut;
            // creates a session cookie (expire = null)
            // that way the cookie gets deleted after the browser window is closed
            if (data.ticket) {
                Proxmox.CSRFPreventionToken = data.CSRFPreventionToken;
                Ext.util.Cookies.set(
                    Proxmox.Setup.auth_cookie_name,
                    data.ticket,
                    null,
                    '/',
                    null,
                    true,
                    'lax',
                );
            }

To this:

        setAuthData: function (data) {
            Proxmox.UserName = data.username;
            Proxmox.LoggedOut = data.LoggedOut;
            // creates a session cookie (expire = null)
            // that way the cookie gets deleted after the browser window is closed
            if (data.ticket) {
                Proxmox.CSRFPreventionToken = data.CSRFPreventionToken;

                var expires = new Date();
                expires.setDate(expires.getDate() + 365);

                Ext.util.Cookies.set(
                    Proxmox.Setup.auth_cookie_name,
                    data.ticket,
                    expires,
                    '/',
                    null,
                    true,
                    'lax',
                );
            }

This example creates a new variable called "expires" which we then set proxmox to use instead of null for the date, since this creates a cookie that expires in 1 year.

Yeah I get the session cookie thing for a security standpoint and enterprise perspective, but I think you should have the option to enable saving of login sessions regardless. If admins want to configure the session cookie method for their enterprise users, they can, but home users like myself should be able to select between the two regardless.

This won't really work, the frontend cannot dictate security, or at least should not be able to do so.

The ticket cookie is signed by the authentication key and includes a timestamp, so once that timestamp is to old the backend will reject the cookie, no matter how long you tell your browser that it's valid for.