[ZBX-8051] Checkbox auto-logout mostly doesn't work Created: 2014 Apr 08 Updated: 2024 Apr 10 Resolved: 2018 Jul 04 |
|
Status: | Closed |
Project: | ZABBIX BUGS AND ISSUES |
Component/s: | Frontend (F) |
Affects Version/s: | 2.2.3, 2.3.0 |
Fix Version/s: | 4.0.0alpha9, 4.0 (plan) |
Type: | Problem report | Priority: | Major |
Reporter: | Andrei Gushchin (Inactive) | Assignee: | Vjaceslavs Bogdanovs |
Resolution: | Fixed | Votes: | 0 |
Labels: | login, profile | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified |
Issue Links: |
|
||||||||||||||||
Team: | Team C | ||||||||||||||||
Team: | Team C | ||||||||||||||||
Sprint: | Sprint 36, Sprint 37 | ||||||||||||||||
Story Points: | 1 |
Description |
Checkbox in user profile doesn't work. For trunk only checkbox state is saved but auto-logout doesn't happen |
Comments |
Comment by richlv [ 2014 Apr 09 ] |
auto logout status is saved properly - it probably seems to be lost because checkbox "Remember me for 30 days" is not unmarked in the login form - that sets the "remember me" status, which negates auto-logout. out-logout itself - my tests are inconclusive |
Comment by Matthew Ross [ 2014 Dec 17 ] |
Tested the following (v2.2.5): 1. Log in with Remember Me disabled. Also verified the settings are cleared in the database. Not sure why the Remember Me setting should negate the auto-logout functionality? |
Comment by Oleksii Zagorskyi [ 2015 Mar 04 ] |
All required details of current behavior are documented now according to ZBX-9370 also asks to fix related things. |
Comment by Oleksii Zagorskyi [ 2015 Mar 25 ] |
Not sure it's the best place to post it, but still... Some zabbix users complains that zabbix frontend floods zabbix DB by relatively hard queries like: UPDATE sessions SET lastaccess=1427291815 WHERE userid='1' AND sessionid='09dba63bb393af3b149b466c2c1d8afe' SELECT p.* FROM profiles p WHERE p.userid=1 ORDER BY p.userid,p.profileid Results of investigations:
Testing current 2.4 I can say that it's not true. Also, the spec didn't say anything about authorization.
When zabbix frontend (every browser tab) performs the check, it performs these SQLs: 150325 15:56:55 69967 Connect root@localhost on 2.4 69967 Query SET NAMES utf8 69967 Query SHOW TABLES LIKE 'dbversion' 69967 Query SELECT dv.mandatory,dv.optional FROM dbversion dv 69967 Query BEGIN 69967 Query SELECT u.userid,u.autologout,s.lastaccess FROM sessions s,users u WHERE s.sessionid='09dba63bb393af3b149b466c2c1d8afe' AND s.status=0 AND s.userid=u.userid AND (s.lastaccess+u.autologout>1427291815 OR u.autologout=0) 69967 Query SELECT g.usrgrpid FROM usrgrp g,users_groups ug WHERE ug.userid='1' AND g.usrgrpid=ug.usrgrpid AND g.users_status=1 LIMIT 1 OFFSET 0 69967 Query UPDATE sessions SET lastaccess=1427291815 WHERE userid='1' AND sessionid='09dba63bb393af3b149b466c2c1d8afe' 69967 Query SELECT MAX(g.gui_access) AS gui_access FROM usrgrp g,users_groups ug WHERE ug.userid='1' AND g.usrgrpid=ug.usrgrpid 69967 Query SELECT u.userid,u.alias,u.name,u.surname,u.url,u.autologin,u.autologout,u.lang,u.refresh,u.type, u.theme,u.attempt_failed,u.attempt_ip,u.attempt_clock,u.rows_per_page FROM users u WHERE u.userid='1' 69967 Query SELECT ug.userid FROM usrgrp g,users_groups ug WHERE ug.userid='1' AND g.usrgrpid=ug.usrgrpid AND g.debug_mode=1 69967 Query COMMIT 69967 Query SELECT p.* FROM profiles p WHERE p.userid=1 ORDER BY p.userid,p.profileid 69967 Quit I not very understand why do we perform authorization at all. And I absolutely cannot understand why we perform SQL like SELECT p.* FROM profiles p WHERE p.userid=1 ORDER BY p.userid,p.profileid to just check server availability ... Very related issue ZBXNEXT-2381 |
Comment by Vjaceslavs Bogdanovs [ 2018 Jun 28 ] |
(1) No translation string changes. gcalenko CLOSED |
Comment by Vjaceslavs Bogdanovs [ 2018 Jun 28 ] |
(2) [D] API documentation should be updated the following way:
What's new section should contain a note about API change - that method User.checkAuthentication now contains additional param. As for auto-logout feature (listed in https://www.zabbix.com/documentation/4.0/manual/web_interface/user_profile), additional note is required that some leaving some pages open will cause extending of session lifetime and will not allow for auto-logout feature. All the pages that refresh data in a specific time interval (dashboards, graphs, screens, latest data, etc.) are performing extending of session, so auto-logout will not work with one of those pages open. This is true for all supported versions and not only for 4.0. natalja.zabbix also can add additional note that Auto-logout can accept 0, which means Auto-logout will be disabled after profile settings update natalja.cernohajeva: user.checkAuthentication method added to documentation for all supported versions: 2.2, user.checkAuthentication; 3.0, user.checkAuthentication; 3.4, user.checkAuthentication; 4.0, user.checkAuthentication (only difference from previous- "extend" parameter mentioning); 4.0, what's new (API improvements section); User profile page, 4.0, Auto-logout parameter User profile page 2.2, 3.0 and 3.4 Auto-logout parameter completed the same way as for 4.0. RESOLVED vjaceslavs Great! CLOSED |
Comment by Vjaceslavs Bogdanovs [ 2018 Jul 03 ] |
Available in 4.0.0alpha9 (trunk) r82449 |
Comment by richlv [ 2018 Jul 14 ] |
Could you please expand on what did the fix include and what is the expected behaviour? For example, what of the following would now reset the user inactivity timer?
In general, a detailed description on how this feature is expected to work would be greatly appreciated. sasha Look at the comment above. It was mistakenly hidden from users. <richlv> Thank you, that' s great info. Are there any calls within Zabbix trunk currently that set this flag to false? While the comment talks about reloading graphs, what about the server status checks, do they reset the session? <vjaceslavs> No they don't. All the server status checks as well as message related calls (not initiated by users). So, user actions will still prolong the session - so submitting the forms (no matter it filters or not) will always prolong session lifetime. Exceptions for async calls (not directly initiated by user) are listed above. |