I'm being automatically logged out of iNaturalist

yes. it looks to me like iNaturalist is actually revoking the cookie. below is the cookie activity i see when going to inaturalist.org after creating a new observation and then restarting the browser. it looks like i present iNat my remember_user_token cookie and iNat responds by revoking the remember_user_token cookie and giving me a new session cookie.

why it makes this decision, i’m not sure…

also, i sort of wonder if some of the cases where people get logged out are cases where they think they’ve checked the Remember Me flag when logging in but actually forgot to check it? for me, it’s always unchecked by default. so i’ve definitely forgotten to check it even when intended to check it.

(i think a lot of other sites will tend to remember whether you last checked that flag and will default to whatever that last state was, rather than always defaulting to a particular value.)

I’m getting logged out once or twice a day and I essentially never use the phone app. It happens for sure if I restart my computer for any reason, and it frequently happens when I close and reopen my browner (Safart for Mac). It is very inconsistent; I have found no pattern in the problem.

1 Like

I’ve now been logged out so many times that I ALWAYS check the Remember Me button. It doesn’t help.

Oddly, the site ~knows~ it’s me (see screen shot), but it thinks I need to log in .

i don’t think the site is indicating that it knows you’re looking at the Explore screen. you probably have just navigated to https://www.inaturalist.org/observations?user_id=teellbee, which should display roughly the same thing regardless of whether you’re logged in or not.

1 Like

I’ve been talking too fast. “Undefined user” is back this morning… Just after clicking on the filled login page (since always “not remembered” either).

I will be posting a separate topic for this one.

https://forum.inaturalist.org/t/automatically-redirected-to-undefined-user-page-after-logging-in/26915

2 Likes

not sure if this is the same kind of thing, but i noticed that if you explicitly log out of a session, then any existing remember_user_tokens will be revoked the next time you are authenticated.

for example:

  1. i logged in with the Remember Me option in both Firefox and Chrome, and then closed the browsers.
  2. i opened Edge and logged in (without Remember Me), then explicitly logged out
  3. going back through Firefox and Chrome, i’m forced to log in again.

(if in #2, i just close the browser, which effectively ends the session, then in #3, i’m not forced to log in again.)

i suppose this might be intentional. it might be a feature that if you log out in one place then any remember_user_tokens out in the wild will get revoked the next time they get checked.

That does sound like expected behavior to me (without checking).

FWIW - I’ve reproduced the issue, and found (what I believe to be) the root cause - which is that hitting some endpoints from the website incorrectly trigger a security protection, which has the side effect of clearing the remember_me token against the current logged in user in the database.
I’ve passed what I’ve found on to the devs. As it involves a security protection, I think they’re considering what the best approach to fix it should be.

4 Likes

Just an update. Thanks for work by @pisum and others, we know the cause - we’re now looking into the best fix for it.

10 Likes

This is happening to me every day as well. The ‘Remember me’ check box makes no difference. I have to sign in every time.

I just found myself logged out for the first time in a few weeks.

@agoranomos Sean, what do you mean by “hitting some endpoints from the website incorrectly…”?
Related question: Typically, for any website which requires logging in, if I close my browser without having officially signed out, would that be considered an “incorrect endpoint”?

Sorry, that was poorly phrased, and bit too tech jargon heavy. Let me try again:
Some actions performed in the browser by users will, when processed by the web server, trigger a security protection when it shouldn’t, resulting in the remember_me setting for the user getting wiped on the web server.
So there are no “incorrect endpoints”, just incorrect positioning of words together in my previous post.

3 Likes

This explanation explains why I just got logged out. I logged in, checked my homepage, checked the two notifications I had, loading their observation pages in separate tabs, and commented on one (in response to another user’s ID with comment) and withdrew my ID for it. I closed the browser. Less than an hour later I returned to iNat and I was logged out.

This has been true for me throughout, though usually whatever page was open qhickly changes to the Log In page, with my username, ready to be logged in once again.

1 Like

looks like some changes were deployed today, and i’m no longer able to reproduce the problem by uploading an observation. so at least that trigger for this problem appears to have been resolved. not sure what the other triggers would have been, but it looks like a lot of changes were made. so hopefully all the other triggers have been found and fixed.

2 Likes

Yeah, we did make some changes but need to go through them and see what else needs to be fixed or if these changes broke anything.

4 Likes

Great news! Today, for the first time in a couple weeks, I did not have to log in. Hope it continues to work.

1 Like

Still working 2 weeks later - today I had to log in again, but as it is supposed to be, because my cookie had expired!

Thanks to the staff for pursuing this!

3 Likes

Great, I’m going to close this for now. If you do see it happening again, please file a new bug report and we’ll see if it should be merged into this one.

3 Likes