I’m having an unusual issue with a v13 site. When I log into Umbraco, everything works normally. If I go into Users and look at my own entry, then it shows the correct date and time under Last Login, and all is well.
However, two other users have reported that they can only stay logged in for about a minute, then they get dumped back to the login screen. If I look at their accounts under Users then Last Login is not changing: they supposedly haven’t logged in since 2022/23!
I can find nothing relevant in UmbracoTraceLog.json.
The site was recently upgraded from 13.8.1 to 13.9.2 and I can only assume that the issue started occurring at the same time.
It’s worth pointing out that the site was originally built in v7 and that it uses usernames rather than email addresses.
Any idea what’s going on here?
Edit: Something I noticed is that the two affected accounts both have a space in the username (while known-good accounts do not). I removed the space from one of them and she can now log in and stay logged in, and the Last Login field now updates correctly. I now suspect that the upgrade to 13.9.2 may have introduced a bug if your username contains a space. Is anyone able to confirm that?
There are a few security settings you should check.
Umbraco:CMS:Security:AllowConcurrentLogins
This setting is false by default and will only allow one concurrent session per user; however, whether it will cause conflicts in your scenario is doubtful.
Umbraco:CMS:Security:KeepUserLoggedIn
This is also false by default and logs out any user that have not shown any (network) activity in a set amount of time (which is configurable by Umbraco:CMS:Global:TimeOut). You could try setting this to true and see if it logs out your users, or set TimeOut to a high value, such as an hour 01:00:00.
I’m now convinced that it’s the space: removing it from the other affected person’s username has also fixed the issue for her. None of the users without a space had the issue.
I see. What happens after a minute (or every minute, in fact) is that the Backoffice calls an endpoint to ask how many seconds are left until timeout. Let’s say something went wrong there in that endpoint recognizing the user, for example, if they have a space, as you say. The Backoffice would send them back to the login screen if it thought they had less than 60 seconds back. The endpoint has a URL containing something like “GetRemainingTimeUntilTimeout” or similar. You could check if that is the culprit.
If that is, in fact, the culprit, you have discovered a bug with Umbraco, and I would encourage you to create an issue on the issue tracker.