Support

Admin Tools

#35321 Admin tools recording Admin Query String security exception when editing articles - /administrator/index.php?option=com_content&task=article.edit&id=217

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Thursday, 01 July 2021 20:17 CDT

Sunday, 30 May 2021 22:03 CDT

artful

Hello,

We have a super user that is continuously being kicked out of their site when attempting to access or edit an article.  To make matters worse, it does not happen every time, but sporadically.  We have discovered that because this event adds a security exception to the blocking list, they also eventually are blocked by Admin Tools also. 

The Blocked Request Log gives the reason as 'Admin Query String' with the target URL being /administrator/index.php?option=com_content&task=article.edit&id=217

Adding them to the Never Block List seems to help them for a while however their ISP regularly updates their IP making this difficult to manage.

We do use your administrator secret URL parameter and the super user has successfully logged in using that.  We, as their developers, also have been able to replicate the issue.

Allow administrator access only to IPs in Exclusive Allow IP List is set to NO.

Our process to get around the problem has been to ensure our current IP is in the Never Block List as soon as we log in which appears to stop the issue, enabling us to make their edits for them, but it is not really a practical option for the client.

This issue has been happening for over a year now, so it is not anything to do with updates or new versions of things.  We have tweaked AdminTools config settings to no avail.

The site was originally built in 2014 in Joomla 2.5 and regularly updated.

Third party installed extensions include:

Admin Tools
Akeeba Backup
JCE Editor
RSForm Pro
RegularLabs Tabs
RegularLabs Modules Anywhere
RegularLabs Articles Anywhere

We also appear to not have this issue when we disable Admin Tools.

Thanks, I hope you can help as this is a very frustrating issue for our client.

Kind regards,

Chrysti

Monday, 31 May 2021 02:36 CDT

nicholas

His session is expiring because it's taking him too long between visiting pages in the backend. Increase the Joomla session timeout in its Global Configuration.

Moreover, please tell that user that if they don't interact with the site's backend for a while ("a while" being the session timeout you specified) they will be kicked out of the site. Also tell them that if they open an article for editing and go for lunch yeah, the article editor is open on their browser but their session has expired, i.e. all their changes are lost. I consider these instructions to be part of "How to use the Joomla backend, an introduction for absolute beginners".

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 31 May 2021 20:21 CDT

artful

Thanks for the prompt reply Nicholas.

The issue is that the user does not waste any time in between editing.  They login, go to edit an article and wham it kicks them out, almost immediately, without any down time.  This happens in the middle of use.  They do not have any other instance of the admin open in another tab or anything.  We know better than to waste your time and expertise with something as simple as a regular session time out! :)

The user also knows to always close down articles when done and log out when not using and assure me this is what they do, and session time is set to 35mins.  This is not a standard issue, unfortunately.  It is something that I have experienced in their site too and can confirm that is definitely not a regular session time out. 

Is it likely that a regular session timeout would result in an 'Admin Query String' block reason?

We have been troubleshooting for months, you are our only hope! :)

When Admin Tools is disabled this log out does not seem to happen.

Do you have any other ideas?

Thanks

Chrysti

 

Tuesday, 01 June 2021 02:42 CDT

nicholas

Is it likely that a regular session timeout would result in an 'Admin Query String' block reason?

Yes, absolutely! In fact, it's supposed to. The Administrator Secret URL parameter works like this. Admin Tools checks your session for a special "flag". If this flag doesn't exist, it checks whether the URL includes the secret URL parameter. If so, it sets the flag. If the flag is not set a blocked request of the type "Admin Query String" is recorded and the user is redirected back to the front-page of the site.

If the session times out, gets corrupt or gets deleted for any reason you should indeed experience a redirection to the frontend of the site AND an Admin Query String blocked request recorded in the log.

If it is not a session timeout, Check what kind of session handler you have. If it's the database handler make sure the Admin Tools' system plugin isn't set up to clear the session table periodically because that could kick you out in some cases.

If that's not the case your session is getting corrupt. The database session storage handler should be OK for session data up to 1MB. If you are editing articles longer than that it will get corrupt. I've seen that happen on a real world site many years ago :) Using the native handler usually works.

If the session storage handler is Redis or memcached and you're also using it for Joomla's page cache it's worth checking if you have anything clearing the cache periodically, e.g. Regular Labs' Cache Cleaner. The way Joomla works in this case is that all keys would be removed from the in-memory Redis or memcached cache, including the keys referring to the session, causing this kind of problem.

In my experience the more likely issues are those in the order presented. 

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 01 July 2021 20:17 CDT

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.
Edited by on 2021-07-01 20:17 CDT

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!