Support

Hello Akeeba,

I have an ongoing issue with Akeeba WAF that I would really like to resolve.

If I am logged into my website backend and go off to do some other task, still logged in, after about half an hour the WAF raises an Admin Query String exception against my IP, obviously blocking me.

As far as I can recall, this has been happening ever since I have used Joomla 3.x. The simple solution is not to leave the admin UI unattended, but that does not stop this issue from being a nuisance.

Any light you can shed on this would be really helpful.

Thanks,
CGB

Nicholas figured this out a while back. When you leave your screen open like that, eventually it hits the session time limit and that logs you out. Then the Joomla! keep alive javascript keeps pinging the session and produces security exceptions.

If you have a static IP address, you can fix this by entering your IP in the "Never block these IPs" field.

If you have a dynamic IP address, you can't fix it, you can only slow it down. Go to the Joomla! Global Configuration screens and increase the session timeout setting. That will give you a longer period of time to come back and start working again, but eventually you will get locked out again.

Thanks for the reply, Dale. That is pretty much as I thought would be the case, and it's also why I have not raised it before. I was hoping that eventually someone would put a change request in and make a design change to resolve this issue.

Regards,
CGB

I'm sorry I couldn't give you better news.

Just a thought, and then I guess this ticket is closed. When the session times out, a routine could be created to ensure that the last successful user was not added to the blocklist. Something like this pseudocode...


most-recent-session-user-ip = 'nnn.nnn.nnn.nnn' // Successful session user's IP address

IF session-ended AND (login-attempt-ip == most-recent-session-user-ip) THEN
// don't include IP on block list
....
....
ENDIF


Regards,
CGB

I flagged your ticket for Nicholas and Davide. They discussed it. This is the bit that I understood:

Davide Tampellini [9:31 AM]

The problem is that when the session expires, there's no event we can "hook" on it

this only happens when the user manually click on the "logout" button

Nicholas Dionysopoulos [9:31 AM]

The session is the "memory". When it's lost you can't "remember" anything.

Thanks for looking into this Dale. However, I'm hoping that this may not be the end of the matter and some time might eventually be found to resolve this issue. I have confidence that ND and the development folks there at Akeeba (I'm assuming it is more than Nicholas on his own nowadays) are capable of cracking this issue if they can find time to look at it.

Regards CGB

Please go ahead and close this ticket