3

I have successfully installed liferay 7 and configured CAS 3.6 for SSO. Everything is working fine. I was able to create users, assign roles, create pages etc etc.

After few days, I was trying to create a new user via admin, I got warning "User 30810 is not allowed to access URL https://mysite:8443/group/control_panel/manage and portlet com_liferay_users_admin_web_portlet_UsersAdminPortlet". I could not able to create user. and from then that user does not have any permission that I use to do earlier.

I googled a lot on this, got few suggestions like

1) Adding below in portal-ext.properties:

redirect.url.security.mode=domain
redirect.url.domains.allowed=*.mysite.com

session.timeout.warning=0
session.timeout.auto.extend=true

2) Some links: 

https://web.liferay.com/community/forums/-/message_boards/message/92226678

3) Somewhere it is mentioned that this it is bug with liferay started from liferay 7 GA4

4) If you read the link, it is mentioned that it related to Guest user and session expiration that starts causing this issue etc.

Had any one gone through this issue? Is there any solution or workaround for this?

I could not able to update this question with all the option I tried or solutions that is mentioned on google or liferay's official jira sites however I will keep updating this question with proper references. Meanwhile

Do provide your suggestions/solutions.

Rushikesh Garadade
  • 617
  • 1
  • 8
  • 32
  • What did happen between the time it was working and it stopped? Did you do som config changes? Did you update Liferay? – Miroslav Ligas Mar 06 '18 at 16:37
  • I did not update the liferay nor I did any config changes, I have made some css changes though. However it is said somewhere that this starts happening when some session automatically logs out – Rushikesh Garadade Mar 07 '18 at 05:51

2 Answers2

1

"this starts happening when some session automatically logs out" This phrase tells me several things, like the possibility of an user logging out even though you set "session.timeout.auto.extend".

Two basic scenarios where this can happen is:

  • When you close your tabs, after the assigned timeout, the user will be logged out. And when you got back, especially after a browser crash or using the back button, your browser used old data.
  • When you have the auto session extension working with a big timeout, leading to the possibility that the session timeout configured in Liferay being bigger than the one configured on the server.

On the last case, one might be interested on completed the config you exposed with short timeouts.

session.timeout.warning=0
session.timeout.auto.extend=true
session.timeout=5
session.timeout.redirect.on.expire=true

I know it is an old thread but it may help someone...

Victor
  • 3,520
  • 3
  • 38
  • 58
1

The "extend session" functionality is not working correctly and the final user session is expired, so when they try to log in, they have the wrong CSRF token from the previous session:

  1. You have to double-check that the session.timeout Liferay portal.properties has the same value as the session timeout configured in your application server.
  2. You have also check that the session.timeout.auto.extend.offset is greater than 60 seconds to avoid having problems with the chrome javascript intensive throttling
jorgediaz-lr
  • 942
  • 6
  • 13