Notifications
Clear all

wpForo 1.x.x [Closed] WPforo doesn't destroy all sessions after logout!

11 Posts
2 Users
0 Reactions
1,055 Views
Posts: 109
Topic starter
(@beyondforce)
Estimable Member
Joined: 5 years ago

Hey Guys,

I wonder why WPforo doesn't destroy/close all sessions after logout?

I have added a screenshot; Before, after login, and after logged-out.

 

Thanks.

10 Replies
Posts: 986
Moderator
(@martin)
Support Team
Joined: 8 years ago

Hi @beyondforce,

WordPress and wpForo don't use session for login and logout. wpForo is based on WordPress cookie authorization. There is no any information on PHP session about login users. Because the PHP session is only used for Error and Action messages in top right corner of your website. This is the only reason why wpForo initiate and use the sessions. It doesn't have any relation to authorization functions so it's not descried when you logout. The logout process is being done by WordPress core functions, which just remove cookie based information. Again, the PHP session is not used for login status.

More info: https://www.securitysift.com/understanding-wordpress-auth-cookies/

9 Replies
(@beyondforce)
Joined: 5 years ago

Estimable Member
Posts: 109

Hey @martin,

Thanks for your reply.

I'm asking about it because before the user login, it receives a cache version of my site and the site loads very fast (400-600ms).

When a user is logged-in, there is no more cache and the site is loading slower (as expected).
But, after the user is logged-out, the site keeps loading slow. My hosting supports are saying "In order to return to server caching responses, the PHP session cookies need to be cleared out."

I'm trying to figure out what blocks the browser to return to server caching after logout. 

I'm using ARmember as well for user registration and login, so it might be this plugin that blocks the server cache.

Thanks again.

Cheers / Ben

 

Moderator
(@martin)
Joined: 8 years ago

Support Team
Posts: 986

@beyondforce

Ok, I see. But as always we recommend exclude wpForo from your cache plugins

The issue of login/logout is also related to cache plugins. Not only cache plugins, but also cache systems of hostings. If you use cache plugin please read this support topics:

  1. https://wpforo.com/community/faq/wpforo-and-cache-plugins/
  2. https://wpforo.com/community/faq/login-problem-menu-is-not-changed-and-weird-logged-in-behaviour/

 

And yes, we're going to remove the session from wpForo even if it only working for top-right corner messages and action notifications. We'll totally remove this session function from wpForo in upcoming versions. But at this moment, we recommend exclude wpForo forum home page from your caching systems.

(@beyondforce)
Joined: 5 years ago

Estimable Member
Posts: 109

@martin,

I'm ONLY using server caching and I have no other cache plugins!

WPforo page is also excluded from the cache, but this problem is affecting all my site's pages.

My hosing and I are not sure yet where the problem is, but your future solution to remove this session function from wpForo in the upcoming versions sounds good.

Are we talking about months or weeks?

Ben.

Moderator
(@martin)
Joined: 8 years ago

Support Team
Posts: 986

@beyondforce,

You can test it right now.

Just open this file:

/wp-content/plugins/wpforo/wpf-includes/class-notices.php

 

Find this code:

private function init(){
if( !wpforo_is_session_started() && ( !is_admin() || (!empty($_GET['page']) && strpos($_GET['page'], 'wpforo-') !== false ) || (wpforo_is_ajax() && !empty($_POST['action']) && false !== strpos($_POST['action'], 'wpforo')) )) session_start();
}

 

Change it to this:

private function init(){
//if( !wpforo_is_session_started() && ( !is_admin() || (!empty($_GET['page']) && strpos($_GET['page'], 'wpforo-') !== false ) || (wpforo_is_ajax() && !empty($_POST['action']) && false !== strpos($_POST['action'], 'wpforo')) )) session_start();
}
(@beyondforce)
Joined: 5 years ago

Estimable Member
Posts: 109

@martin

Cool, thanks I'll check it out 👍

Moderator
(@martin)
Joined: 8 years ago

Support Team
Posts: 986

Don't forget to close all tabs of browsers, then close it and open again when you test it. Closing browser with all tabs will delete the session.

(@beyondforce)
Joined: 5 years ago

Estimable Member
Posts: 109

@martin

I always do that!

Well, I just tested it and it didn't make a difference. I can give you access to my site if you want to check it out?

Moderator
(@martin)
Joined: 8 years ago

Support Team
Posts: 986

@beyondforce,

We've nothing to check, because the only point it may be related to wpForo is the function I asked you to change. There is no any other relation to wpForo, so we don't have any point to check.

(@beyondforce)
Joined: 5 years ago

Estimable Member
Posts: 109

@martin,

Thanks for your help.