Support

Admin Tools

#32647 Email notification on log out

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by iorbita on Wednesday, 11 March 2020 13:37 CDT

Wednesday, 11 March 2020 04:49 CDT

iorbita
Hello,
I receive an email notification (Reason: Administration request) when I log out from the back-end, I can't find which option activates this notification, can you help me to identify it?

Thank you,

Lorenzo

Wednesday, 11 March 2020 05:23 CDT

nicholas
There is no such reason in Admin Tools. Could it be "Admin Query String" instead?

If that's the case, your login session had expired before you clicked the Log Out button. This redirected you back to the /administrator/index.php URL without the secret query parameter which is what triggered the security exception.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 11 March 2020 05:37 CDT

iorbita
...the notification is no longer sent, very strange ...
The session is set to 240 minutes so I don't think it was related to an expired session, email subject was "Security exception on ..." and notification reason was "Administration Request", I will keep an eye on this problem, thank you!

Lorenzo

Wednesday, 11 March 2020 07:38 CDT

nicholas
It's definitely an expired or broken session. I know how this feature works and I can tell you so you have full knowledge of what's going on.

When you access the admin login URL with the special query string parameter (e.g. http://www.example.com/administrator/index.php?mysecret) Admin Tools sets a "flag" in the session. That's a fancy way of saying that it tells Joomla to store a variable in the session with the value 1. On every subsequent access to a URL under /administrator Admin Tools checks the session for the existence of this variable. If it exists the page load proceeds. If it doesn't exist or has a value other than 1 it throws the security exception you saw.

Obviously that would cause a problem on logout since the session is reset. Admin Tools handles a Joomla event at this point which allows it to redirect your browser back to the the admin login URL with the special query string parameter (e.g. http://www.example.com/administrator/index.php?mysecret) instead of the regular admin login page (e.g. http://www.example.com/administrator/index.php).

However, if the session has expired, reset or is otherwise broken when the logout event happens this redirection will NOT take place. Instead, the logout URL itself fails the check I mentioned above ("On every subsequent access to a URL...") and triggers a security exception.

Also note that if you are using the unified sessions feature of Joomla, where you have a single login session for the public frontend and the administrator backend, session expiration and breakage is more likely to happen. Moreover, using that feature exposes you to more risk regarding login brute forcing and login cookie stealing. While convenient it's bad for security and I recommend disabling it if you have it enabled.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 11 March 2020 13:37 CDT

iorbita
...as usual thank you very much for this detailed explanation, top extension top developper! ;)

Lorenzo

PS: No worries, I don't use unified sessions feature ...

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!