Frequent Logouts
Problem
Admins or users report that the system frequently logged them out of WHMCS and prompted them to log in again.
Cause
Common causes of this behavior include:
- A PHP misconfiguration on the server that hosts WHMCS. Common misconfigurations include:
- PHP session support is disabled.
- The session
auto_start
setting is enabled. - The session
save_path
value is not writable.
- A proxy or CDN misconfiguration on the server that hosts WHMCS.
- Insufficient disk space on the WHMCS installation’s server.
- The visitor’s IP address changed.
- The visitor is using a VPN.
Troubleshooting
PHP Misconfiguration
To find PHP misconfiguration issues, go to Configuration () > System Health.
gc-maxlifetime
value is too low. The default PHP session.gc-maxlifetime
value is 1440
seconds.Solution
If you find a PHP misconfiguration issue, work with your system administrator or hosting provider to adjust your PHP configuration.
Proxy/CDN Misconfiguration
If your server is behind a proxy server or CDN, a misconfiguration can break IP address detection and cause the system to log clients out.
To troubleshoot this, review the Admin Log at Configuration () > System Logs.
- Observe the IP addresses that the system logged against a single admin.
- If the IP address displays an internal IP address and not your connection’s public IP address, the server could be behind a proxy or CDN.
If the logs show different IP addresses, it may indicate a misconfiguration with the proxy or CDN:
Clients may also report that their IP address does not reflect their connection’s public IP address on the Checkout page of the shopping cart:
Solution
WHMCS checks for the below HTTP
headers to determine the visitor’s IP address. If an IP address is available and is not a local address, the system will use the first valid value as the client’s IP address for the shopping cart, client details, and logs. This applies to both IPv4 and IPv6 connections.
Work with your server administrator or hosting provider to configure one or more of these HTTP headers to forward a visitor’s IP address to PHP:
HTTP_CLIENT_IP
HTTP_X_FORWARDED_FOR
HTTP_X_FORWARDED
HTTP_X_CLUSTER_CLIENT_IP
HTTP_FORWARDED_FOR
HTTP_FORWARDED
REMOTE_ADDR
value.Configure WHMCS with details of your proxy server configuration and the HTTP header that WHMCS will use to detect the visitor’s IP address.
Insufficient Disk Space
If your server or the hosting account that hosts WHMCS has insufficient disk space to create new files, PHP will be unable to write the PHP session data to the disk storage location. As a result, authentication may be successful but PHP will not be able to store the authenticated state.
Solution
Work with your system administrator or hosting provider to increase the amount of available disk space.
A Visitor’s IP Address Changed
If a visitor’s IP address changes between loading the page and requesting the next page or submitting a form, the system will log them out. This is a security measure to protect against session hijacking.
Some internet connections (for example, mobile, 3G, 4G, or 5G) may change IP addresses more frequently than a fixed-line connection.
Review your HTTP server access logs and make sure client’s IP address is consistent as they browse around your website. A frequently-changing IP address for a single visitor can confirm this.
Solution
Ask the affected visitor to use a fixed-line connection with a consistent IP address.
You can also resolve this issue by checking Disable Session IP Check in the Security tab at Configuration () > System Settings > General Settings.
A Visitor Using a VPN
A VPN connection will change a visitor’s IP address (for example, during connection or disconnection or when changing between regions). Some VPN providers will change a visitor’s IP address automatically without the user’s knowledge.
Solution
Ask the user to use a connection with a consistent IP address assignment.
Last modified: October 30, 2024