I'm being automatically logged out of iNaturalist

For me, there has been no relationship with uploading observations. For the last week or so, I’ve had to log in at least once each day with “remember me” checked each time.

2 Likes

if you follow my 10 steps, does that trigger the problem for you though? (i didn’t rule out the possibility of other triggers, but i think what i described is the first set of steps anyone has described that will allow you to consistently reproduce the problem. and once you can consistently reproduce the problem, then you can begin debugging it.)

1 Like

Genius @psuim!
I’ve been able to reproduce 3 times in a row by simply uploading an observation via the web uploader then closing my browser. I’m pretty sure it’s not the only way to reproduce it - but it’s certainly consistent.
Even better, I can also use this method to reproduce this issue on my local dev environment.
It’s late here and I need some sleep, so I’m going to stop looking at it for now.
@kueda might be interested in this though…

4 Likes

Me too, since the last Month in Europe Austria. Before that Logout was a rather rare Occasion.

Now it’s happening the whole time. even if I Tick “Remember Me”.

Of the four Cookies you store, One is just active for the session, 3 others (starting with _ga" expires within hours, could explain why im thrown out just hours later.

Some systems like AWS incoqnito have an low expiry date on purpose and on revisiting the website later, the expired cookie is refreshed seamlessly with no login required.

Have an nice Weekend!
Cheers
Per

Yes, I can confirm that those 10 steps do regularly trigger the problem. Additional information:

  • sometimes I get logged out between steps 5 & 6, so uploading is clearly not the only trigger
  • uploading itself has no effect on the cookie. I monitored Firefox’s cookies.sqlite database throughout the procedure, and the remember_user_token remained unchanged from step 2 through the start (‘open your browser’) of step 10 (i.e., it was still there after uploading and deleting an observation, closing firefox, and reopening firefox.) It only disappeared when I then navigated to iNaturalist.

This behaviour seems quite strange, suggesting that somehow uploading an observation in one session affects the state of iNaturalist at the start of the next session for that user. Happy debugging! :wink:

1 Like

Started happening to me too recently.

1 Like

Humm… Looks like my “undefined user” issue has disappeared. But I’m still not remembered!

1 Like

It’s happening to me again. About once or twice a day.

Based on the following information:

  • @pisum said that it has to do with uploading an observation in the web uploader, which is something I haven’t done in a while
  • it seems I get logged out after not using iNat for half a day or so

…I wonder if the issue might be me accessing my account via my iNat app. I should go check this now.

2 Likes

It happened to me today (after a long period of time when it didn’t happen) after I used the app (which I hadn’t used in a while as well)

2 Likes

Well, unfortunately, that didn’t cause it, at least not within the span of a couple hours.

This is my suspicion as well. I get the same behavior and I suspect it’s happening when I log in on my phone.

yes. it looks to me like iNaturalist is actually revoking the cookie. below is the cookie activity i see when going to inaturalist.org after creating a new observation and then restarting the browser. it looks like i present iNat my remember_user_token cookie and iNat responds by revoking the remember_user_token cookie and giving me a new session cookie.

why it makes this decision, i’m not sure…

also, i sort of wonder if some of the cases where people get logged out are cases where they think they’ve checked the Remember Me flag when logging in but actually forgot to check it? for me, it’s always unchecked by default. so i’ve definitely forgotten to check it even when intended to check it.

(i think a lot of other sites will tend to remember whether you last checked that flag and will default to whatever that last state was, rather than always defaulting to a particular value.)

I’m getting logged out once or twice a day and I essentially never use the phone app. It happens for sure if I restart my computer for any reason, and it frequently happens when I close and reopen my browner (Safart for Mac). It is very inconsistent; I have found no pattern in the problem.

1 Like

I’ve now been logged out so many times that I ALWAYS check the Remember Me button. It doesn’t help.

Oddly, the site ~knows~ it’s me (see screen shot), but it thinks I need to log in .

i don’t think the site is indicating that it knows you’re looking at the Explore screen. you probably have just navigated to https://www.inaturalist.org/observations?user_id=teellbee, which should display roughly the same thing regardless of whether you’re logged in or not.

1 Like

I’ve been talking too fast. “Undefined user” is back this morning… Just after clicking on the filled login page (since always “not remembered” either).

I will be posting a separate topic for this one.

https://forum.inaturalist.org/t/automatically-redirected-to-undefined-user-page-after-logging-in/26915

2 Likes

not sure if this is the same kind of thing, but i noticed that if you explicitly log out of a session, then any existing remember_user_tokens will be revoked the next time you are authenticated.

for example:

  1. i logged in with the Remember Me option in both Firefox and Chrome, and then closed the browsers.
  2. i opened Edge and logged in (without Remember Me), then explicitly logged out
  3. going back through Firefox and Chrome, i’m forced to log in again.

(if in #2, i just close the browser, which effectively ends the session, then in #3, i’m not forced to log in again.)

i suppose this might be intentional. it might be a feature that if you log out in one place then any remember_user_tokens out in the wild will get revoked the next time they get checked.

That does sound like expected behavior to me (without checking).

FWIW - I’ve reproduced the issue, and found (what I believe to be) the root cause - which is that hitting some endpoints from the website incorrectly trigger a security protection, which has the side effect of clearing the remember_me token against the current logged in user in the database.
I’ve passed what I’ve found on to the devs. As it involves a security protection, I think they’re considering what the best approach to fix it should be.

4 Likes

Just an update. Thanks for work by @pisum and others, we know the cause - we’re now looking into the best fix for it.

10 Likes