XF 1.5 Users Reporting Getting Logged Out On Mobile Devices

[Divvens]

I've had multiple users report to me that they keep getting logged out on mobile devices (Android/Windows w/ stock browser + Chrome) randomly until and unless they click the option to stay logged in.

My domain is directed only to one version (non-www), we do not cache sessions. We make use of memcache and everything has been set up by @MattW

Memcache stats show lots of free space in cache, so cache isn't full or causing any issues (even though we don't cache sessions just clearing this out), and since only one domain is being used there shouldn't be cookie loss due to domain. Could this be any other issue that needs to be looked into server side? The log outs happen randomly, and until now it has only been reported via mobile devices.

 

[Paul B]

I've had multiple users report to me that they keep getting logged out on mobile devices (Android/Windows w/ stock browser + Chrome) randomly until and unless they click the option to stay logged in.

That suggests their IP address is changing.

If the IP changes, the existing session won't be used. This is a security feature.
Selecting the option to stay logged in adds a cookie which automatically recreates the session as needed.

 

[TPerry]

And with it being mobile only, it's VERY possible their IP is changing through the cellular provider network.
A lot of cellular providers use a proxy and it's not unheard of that your IP changes. For most uses, a changing IP is not important (when simply browsing the web, etc).

 

[Divvens]

That suggests their IP address is changing.

If the IP changes, the existing session won't be used. This is a security feature.
Selecting the option to stay logged in adds a cookie which automatically recreates the session as needed.

When was this security feature added, or was it since the very beginning?

Because these reports are very recent, never had these reports before.

 

[Mike]

It's been there since the beginning.

 

[Divvens]

It's been there since the beginning.

Could anything have changed the behavior recently to make it more severe? People who weren't having problems before are having it now (it most likely can be from their end too but I want to make sure its not from our end). If it is IP Changing that's logging them out, they never faced it before. It's only been for the past 1/1 and a half months.

 

[Mike]

No, this hasn't changed on our end for some time. If you're not using a cache for sessions, it's almost certainly from their end. I believe I have heard reports about people using mobile Safari's private mode which does some unintuitive things with cookies/local storage, so I suppose that could be related -- particularly if choosing the "stay logged in" option doesn't resolve it. (If they select that, the IP changing won't matter as it will silently create a new session.)