Hi David, All,
I've just added my thoughts to the issue below.

Your reasoning below, along with current services such as LetsEncrypt that offer free https certificates, makes this seem reasonable.

Cheers,

John

Hi John (and others),

For future version of EPrints, I propose making this change:

https://github.com/eprints/eprints3.4/issues/339

This basically say ignore_login_ip if HTTPS is enabled.  In 3.4.5 I changed the cookie settings so you will never get an eprints_session cookie (only and secure_eprints_session cookie) if HTTPS is enabled.  Most repositories now typically have HTTPS enabled with redirects from HTTP and/or HSTS so this is unlikely to cause the odd behaviour where you go from a page where you are logged in to one where you are not.  Also, in earlier versions of 3.4 I have tried to remove any full HTTP links that are local if HTTPS is enabled.  Replacing either with local path links or HTTPS.  This reduces the risk of going from an HTTPS to and HTTP page if you don't have HTTPS redirects or HSTS enabled.  Therefore, I think the change proposed in the above issue should in no way reduce the security of an EPrints repository.  What are your thoughts?

Regards

David Newman

CAUTION: This e-mail originated outside the University of Southampton.

Hi Ellis,
I was going to mention the same thing - I've seen issues with users on weak mobile broadband connections, where their IP address changes each time their connection switches masts.

 

To check this is what you're experiencing, have a look in the logintickets database table - a repeated userid with different IP addresses indicates that this is probably what you're seeing.

 

NB if you have an admin account that multiple people use, there can be legitimate duplicated userid rows with different IPs.

In this case, each user has the correct cookies and doesn't experience what you describe.

 

Cheers,

John

 

From: eprints-tech-bounces@ecs.soton.ac.uk [mailto:eprints-tech-bounces@ecs.soton.ac.uk] On Behalf Of David R Newman via Eprints-tech
Sent: 02 August 2023 07:49
To: eprints-tech@ecs.soton.ac.uk; Eliseo Gatchalian <Eliseo.Gatchalian@wintec.ac.nz>
Subject: Re: [EP-tech] Session timeout too fast

 

Hi Ellis,

EPrints uses a session cookie for keeping users logged in.  This should only expire either if the user clicks logout or closes their browser.  However, I expect your user's issue may be that there IP address changed between when they loaded the page and when they submitted.  This is a historic feature of EPrints that deemed a change of IP addresses suspicious so required a session to keep the same IP address.  This feature can be disabled by creating a configuration file in your archive (e.g. <EPRINTS_PATH>/archives/<ARCHIVE_ID>/cfg/cfg.d/z_ignore_login_ip.pl) and adding the line:

$c->{ignore_login_ip} = 1;

After adding this line check the configuration is OK and reload your webserver.  E.g.

<EPRINTS_PATH>/bin/epadmin test
apachectl graceful

The first line needs to be run as the eprints user the second as the root user or with sudo.  Depending on your Linux OS, you may need to use apache2ctl rather than apachectl.

Regards

David Newman

On 02/08/2023 12:10 am, Eliseo Gatchalian via Eprints-tech wrote:

CAUTION: This e-mail originated outside the University of Southampton.

Hi all,

 

Hope all are good and well.

 

We’ve recently installed EPrints 3.4.4 on a new server and have web imported all our data (except for the ones that are restricted) and all are seems to be working except that it times out too quickly.

 

When a user is trying to fill out the item details, which is around 5-10mins, when the user hits “Next”, it then goes back to the login page without saving the data.

 

Do you know if there is a session timeout settings in EPrints that can be changed? Or any clue where we can extend the session times would be much appreciated.

 

Many thanks all!

 

 

Best regards,

Ellis

 

 

Ellis Gatchalian

Systems Librarian

 

 

Private Bag 3036, Waikato Mail Centre, Hamilton 3240
+64-(0)7-838 6399 ext. 8633

wintec.ac.nz

 

Ki te Kotahi te kākaho ka whati, ki te kāpuia, e kore e whati | Alone we are vulnerable, together we are invincible

 

 

---

This electronic mail transmission is intended for the named recipients only. It may contain private and confidential information. If this has come to you in error you must take no action based upon it, nor must you copy it or show it to anyone; please telephone or email the sender at Wintec immediately and return the original email. We cannot accept any liability for any loss or damage sustained as a result of software viruses. It is your responsibility to carry out such virus checking as is necessary before opening any attachment which may be included with this message.

*** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech

*** Archive: http://www.eprints.org/tech.php/

*** EPrints community wiki: http://wiki.eprints.org/