Causes for “logouts” from TYPO3 sessions
TYPO3 evaluates and validates four client side values to re-constitute a session:
be_typo_user (or fe_typo_user for frontend) Cookie
Time since last request of a TYPO3 page
IP Address
Browser user agent string
This means, if any of these values change, the session will become invalid. As a result, users are "logged out", or sometimes cannot log in at all.
Let's look into each of these properties and how (or if at all) you can influence them.
Cookie
You can influence the domain name for which cookies are set, by changing [SYS][cookieDomain] (or [BE][cookieDomain] or [FE][cookieDomain]). This can lead to a situation where the cookie is not set in a way, that the browser does not send the cookie back to TYPO3, or it it interferes with older cookies that have previously been set.
As a general recommendation I suggest to not change these values, as the default (not set) is result in the compatible and most secure.
If you suspect trouble with this setting: clear all cookies, set the value to default, try again.
Session Lifetime
For what period of time a TYPO3 backend session is valid is not only controlled by the lifetime of the cookie, but by a configuration option. The cookie itself always is a session cookie, which means it only expires after closing the browser window. The configuration option is [BE][sessionTimeout] and is set to one hour by default. On development systems i set this to one year, for production systems I leave the default. Frontend sessions have more complex configuration options, which I leave to be discribed in a different article.
IP Address
TYPO3 sessions are also bound to the IP Address of the client, which established the session. By default for backend session all IPV4 segments are respected and need to be the same in subsequent request, while for frontend sessions only the first two segments are respected. You can change the default values with [BE][lockIP] and [FE][lockIP] configuration options. A value of 0 means, that client IP address is completely ignored. It is also possible to disable the IP restrictions for individual backend users, by ticking the "Disable IP lock for user" checkbox in the user record.
Btw, there is no handling for IPV6 Addresses at the moment, which needs to be changed at some point.
User Agent String
That TYPO3 also evaluates the user agent for sessions is probably not widely know. Additionally the configuration options to change the behavior are far from being intuitive. The options are [BE][lockHashKeyWords] for backend and [FE][lockHashKeyWords] for frontend sessions. lockHashKeyWords only accepts two values: empty string and useragent. The latter is the default and means that if the user agent changes, TYPO3 invalidates the session.
The user agent string changes more often than you might think, as some browser plugins influence it and also proxies sometimes touch this HTTP request header.
Summary
If you or your customers experience random or often "logouts" from TYPO3 sessions, most of the time changing IP addresses or changing user agents are the reasons for that. I would suggest to first try to set lockHashKeyWords to an empty value, as it is the weakest protection for sessions and if this does not help, set lockIP to 0 (or disable it for individual users). Since both disable some additional security measurement, I would suggest to look for the reason of changing user agent or IP addresses and fix that, but I would not consider it completely unreasonable to have them disabled completely.
Happy login. Take care!
