I always have suspected dated reminder though I don’t think it uses csrf.
We also have our timeout daemon running in an iframe.
We need to change the error handler that log the error so we get where the error occurred…
Maybe a runtime exception catch to log.
I’m not seeing this behaviour on windows xampp so, may be a ubuntu issue. You could take a look at the php.ini session settings.
might be some “insanity” in the demo farms 
I finally got around to enabling some of the debugging in the globals. The joy of socks is what I have found in the log file. There are a few of the destroying session entries.
PHP Warning: session_destroy(): Trying to destroy uninitialized session in /var/www/html/boss/src/Common/Session/SessionUtil.php on line 231, referer: https://ehr.medbossconsulting.com/interface/main/tabs/main.php?token_main=1604N4xqBfp2sM8ythwLgTJU08kU4KoUweFYh6AB
thejoyofsocks.txt (64.2 KB)
I was able to get the system to log me out normally but changing this in the globals. (Don’t try this at home)
// access is attempted. Sherwin is attemtping to figure out if
if (empty($_SESSION['site_id']) || !empty($_GET['site'])) {
if (!empty($_GET['site'])) {
$tmp = $_GET['site'];
} else {
if (empty($ignoreAuth) && empty($ignoreAuth_onsite_portal)) {
// mdsupport - Don't die if logout menu link is called from expired session.
// Eliminate this code when close method is available for session management.
if ((isset($_GET['auth'])) && ($_GET['auth'] == "logout")) {
$GLOBALS['login_screen'] = "login_screen.php";
$srcdir = "../library";
require_once("$srcdir/auth.inc");
}
//die("Site ID is missing from session data!");
$tmp = $_GET['site']; //change made by sherwin that needs to be undone in the future
}
Now that I have told the system to go look on the URL and get the site ID and it does. The pages time out less. If I leave the site unchanged for 20 minutes. It logs me out. However, in the globals the time out is set for 5 hrs (18000). But this is an improvement over randomly getting the site id missing message.
I believe I have found the solution for our situation.
/**
* This function refreshes the whole flb_table according to our to/from dates.
*/
function refreshMe(fromTimer) {
top.restoreSession(); //<-- Added this restore top and the random time outs stopped.
if (typeof fromTimer === 'undefined' || !fromTimer) {
//Show loader in the first loading or manual loading not by timer
$("#flb_table").html('');
$('#loader').show();
skip_timeout_reset = 0;
} else {
skip_timeout_reset = 1;
}
var startRequestTime = Date.now();
top.restoreSession();
var posting = $.post('../patient_tracker/patient_tracker.php', {
flb_table: '1',
form_from_date: $("#form_from_date").val(),
form_to_date: $("#form_to_date").val(),
form_facility: $("#form_facility").val(),
form_provider: $("#form_provider").val(),
form_apptstatus: $("#form_apptstatus").val(),
form_patient_name: $("#form_patient_name").val(),
form_patient_id: $("#form_patient_id").val(),
form_apptcat: $("#form_apptcat").val(),
kiosk: $("#kiosk").val(),
skip_timeout_reset: skip_timeout_reset,
csrf_token_form: <?php echo js_escape(CsrfUtils::collectCsrfToken()); ?>
}).done(
function (data) {
//minimum 400 ms of loader (In the first loading or manual loading not by timer)
if((typeof fromTimer === 'undefined' || !fromTimer) && Date.now() - startRequestTime < 400 ){
setTimeout(drawTable, 500, data);
} else {
drawTable(data)
}
});
}
I did this because of my log file had this in it when I just opened the instance and did nothing and let it close on its own.
[Fri Apr 23 21:37:26.542053 2021] [php7:notice] [pid 43774] [client 70.184.171.187:50984] Session site ID has been set to 'serenity', referer: https://ehr.thejoyofsox.com/interface/login/login.php?site=serenity
[Fri Apr 23 21:39:24.101685 2021] [php7:notice] [pid 44001] [client 71.208.153.216:54807] Site death could have occured but rerouted, referer: https://ehr.thejoyofsox.com/interface/patient_tracker/patient_tracker.php?skip_timeout_reset=1
[Fri Apr 23 21:39:24.101753 2021] [php7:notice] [pid 44001] [client 71.208.153.216:54807] Session site ID has been set to 'default', referer: https://ehr.thejoyofsox.com/interface/patient_tracker/patient_tracker.php?skip_timeout_reset=1
[Fri Apr 23 21:39:24.135371 2021] [php7:notice] [pid 44001] [client 71.208.153.216:54807] This is the site id at the time of closing - , referer: https://ehr.thejoyofsox.com/interface/patient_tracker/patient_tracker.php?skip_timeout_reset=1
[Fri Apr 23 21:39:24.135418 2021] [php7:warn] [pid 44001] [client 71.208.153.216:54807] PHP Warning: session_destroy(): Trying to destroy uninitialized session in /var/www/html/boss/src/Common/Session/SessionUtil.php on line 232, referer: https://ehr.thejoyofsox.com/interface/patient_tracker/patient_tracker.php?skip_timeout_reset=1
[Fri Apr 23 21:39:24.225654 2021] [php7:notice] [pid 44001] [client 71.208.153.216:54807] Session site ID has been set to 'default', referer: https://ehr.thejoyofsox.com/interface/patient_tracker/patient_tracker.php?skip_timeout_reset=1
[Fri Apr 23 21:39:24.547703 2021] [php7:notice] [pid 44001] [client 71.208.153.216:54807] Session site ID has been set to 'default', referer: https://ehr.thejoyofsox.com/interface/login_screen.php?error=1&site=default
[Fri Apr 23 21:43:38.056766 2021] [php7:notice] [pid 43580] [client 174.239.2.63:4743] Session site ID has been set to 'default', referer: https://ehr.thejoyofsox.com/portal/?site=serenity
[Fri Apr 23 22:09:08.513110 2021] [php7:notice] [pid 43628] [client 70.184.171.187:51853] Site death could have occured but rerouted, referer: https://ehr.thejoyofsox.com/interface/patient_tracker/patient_tracker.php?skip_timeout_reset=1
[Fri Apr 23 22:09:08.513180 2021] [php7:notice] [pid 43628] [client 70.184.171.187:51853] Session site ID has been set to 'default', referer: https://ehr.thejoyofsox.com/interface/patient_tracker/patient_tracker.php?skip_timeout_reset=1
[Fri Apr 23 22:09:08.548569 2021] [php7:notice] [pid 43628] [client 70.184.171.187:51853] This is the site id at the time of closing - , referer: https://ehr.thejoyofsox.com/interface/patient_tracker/patient_tracker.php?skip_timeout_reset=1
[Fri Apr 23 22:09:08.548628 2021] [php7:warn] [pid 43628] [client 70.184.171.187:51853] PHP Warning: session_destroy(): Trying to destroy uninitialized session in /var/www/html/boss/src/Common/Session/SessionUtil.php on line 232, referer: https://ehr.thejoyofsox.com/interface/patient_tracker/patient_tracker.php?skip_timeout_reset=1
[Fri Apr 23 22:09:08.593895 2021] [php7:notice] [pid 43628] [client 70.184.171.187:51853] Session site ID has been set to 'default', referer: https://ehr.thejoyofsox.com/interface/patient_tracker/patient_tracker.php?skip_timeout_reset=1
[Fri Apr 23 22:09:08.713331 2021] [php7:notice] [pid 43628] [client 70.184.171.187:51853] Session site ID has been set to 'default', referer: https://ehr.thejoyofsox.com/interface/login_screen.php?error=1&site=default
I added this error message (This is the site id at the time of closing - , ) to see at the time of closing where was the system coming from.
As you can also see the site was being reset to default which should not be happening for a multi-site setup.
I also added the (Site death could have occurred but rerouted,) so that the site id missing message was rerouted to the site id in the URL that was not in the session.
This is the end of my report.
I am bringing this topic up, since idle session timeout is necessary for HIPAA (we have it set up for 10 minutes, which, I believe, is the HIPAA requirement), but perhaps something could be done to help the user to avoid losing their work…
In the function isSessionExpired() in the SessionTracker.php file, what if I do something like:
if (($current_time - $last_updated) < $GLOBALS['timeout'] && ($current_time - $last_updated) < 60) {
echo '<script language="javascript"> alert("Session will expire in less than 1 minute"); </script>';
return false;
}
Will this work to throw an alert box and to inform the user to save their work or will it expire first due to inactivity? I thought that, if it works, this would be a simple reminder for the user, but I don’t know if it would…
Thanks!
Alex.