While utilizing Sugar, users may be unexpectedly logged out of the system. This article covers several reasons that the browser may automatically log a user out as well as some high-level troubleshooting tips.
Sugar only permits a username to be logged in under one session, and any additional user sessions started using the same username will log out the previous session. This behavior is for your security as Sugar does not allow multiple sessions for the same username from different computers or browsers. If any additional user session is detected, the user will be automatically logged out of the system and will have to log back into Sugar. To prevent situations like this, please do not share your login credentials (username and password) with others. This will ensure that only one session is active with each username.
When a user does not perform any actions in Sugar for a period of time, the user is automatically logged out.
When a user logs into Sugar, an access token (1 hour by default) and a refresh token (2 weeks by default) are returned. If the access token expires, Sugar will automatically pull for another access token as long as the refresh token is not expired. This allows the current session to be active indefinitely.
The default settings for Sugar are as follows:
refresh_token_lifetime: The default value is 2 weeks.
access_token_lifetime: The default value is 1 hour.
Note: Automatic notification queries are made to the server on a user’s behalf at a default interval of every 5 minutes. Sugar interprets these queries as user activity and will cause the current session to remain active without actual user input. For more information, please refer to the Setting Sugar’s Notification Delay section below.
You can set up your instance to utilize a custom inactivity timeout via code-level customizations. The
oauth2.access_token_lifetime setting controls how often Sugar will check to see if the user’s token has expired. It is recommended to set the
oauth2.access_token_lifetime value (e.g. 1800) to be half of the
oauth2.refresh_token_lifetime (e.g. 3600).
oauth2.access_token_lifetime cannot exceed the maximum PHP session timeout, which is configured by PHP setting
session.gc_maxlifetime. In SugarCloud the maximum session timeout is set to 7200s (2 hours).
You can change the default refresh and access token lifetime values by adding the following lines to the
./config_override.php file in the root directory of Sugar. An example is shown below:
$sugar_config['oauth2']['refresh_token_lifetime'] = 3600; //do not exceed 2147220 $sugar_config['oauth2']['access_token_lifetime'] = 1800;
Note: We recommend the
oauth2.refresh_token_lifetime remains at 1209600 seconds (2 weeks) or less for security. Should you increase this number, do not exceed 2147220 seconds.
These config settings restrict Sugar from refreshing a user’s authentication. Once the change has been made, navigate to Admin > Repair and execute a “Quick Repair and Rebuild” action.
Once the refresh and access token lifetimes are set, you should address the default Sugar notification system. Sugar’s notification utilizes the OAuth token to query Sugar and see if there are any notifications to display to the current user. This query resets the time on the user’s token which causes their inactivity time to start over. To work around this, set the notification delay to be greater than the
oauth2.refresh_token_lifetime setting controls the user inactivity timeout limit once Sugar’s notification delay is altered as follows:
- Create a new file
- Add the following line of code to the file:
$viewdefs['base']['view']['notifications']['delay'] = 65; //should not exceed 35791
Note: Enter the value in minutes (e.g. 65) making sure that it is longer than the refresh_token_lifetime (1 hour) of your instance. The delay should not exceed 35791 minutes.
Once the change has been made, navigate to Admin > Repair and execute a “Quick Repair and Rebuild” action. Users must then clear their browser cache for the change to take effect.
Please note that this customization will change the default behavior of Sugar as it will query for potential notifications significantly less frequently than it normally does. For more information regarding Sugar notifications, please refer to the User Interface documentation.
A user’s IP address may change for a number of reasons. If a user’s IP address changes while they are logged into Sugar the system, by default, will log the user out and force the user to log back in. The Client IP verification will return the error “You have been logged out because your session has expired.” as well as logging “IP Address mismatch: SESSION IP: CLIENT IP: ” in the Sugar log.
Disable client IP verification using the following steps:
- Navigate to Admin > System Settings.
- Scroll to the Advanced section at the bottom of the page.
- Uncheck “Validate user IP address”.
- Click “Save” to preserve the change.
Once this update has been made, Sugar will no longer log out a user if their IP address changes.
When a user is logged on to a Windows computer, they will be automatically logged out of Sugar if they close their browser including all Sugar tabs. When the user reopens their browser to access Sugar, they must log in to the instance again. Please note that all active Sugar browser tabs must be closed for you to get logged out of the system, so if you still have some other Sugar windows open, then you will still be logged in.
Using Mac OS X, this behaves slightly differently. A user must quit the browser process completely for Sugar to automatically log them out. Simply closing the browser tabs will not log the user out of Sugar. Furthermore, the end user’s browser must be configured to allow this setting to log them out. Network Administrators may choose to enforce a browser security policy on their networked machines to verify that this setting is not modified by the end-user.
To adjust this setting on a user’s Chrome browser, navigate to Settings > Show advanced settings… > Privacy > Content Settings > Cookies. Select the checkbox next to “Keep local data only until you quit your browser”. If this option is not enabled, then the user’s session will remain active in Sugar until their token expires via other means.
Note: This setting will clear a user’s stored info for all sites every time a browser session ends.