Guides & TutorialsTroubleshooting AdvancedTroubleshooting Frequent Logouts

Troubleshooting Frequent Logouts

Symptoms

Admins or users may report that the system frequently logged them out of WHMCS and prompted them to log in again.

Common causes of this behavior include:

  • A PHP misconfiguration on the server that hosts WHMCS.
  • A proxy or CDN misconfiguration on the server that hosts WHMCS.
  • The visitor's IP address changed.
  • The visitor is using a VPN.

For information about other login problems, see Troubleshooting Login Problems.

PHP Misconfiguration

A PHP misconfiguration on the server that hosts WHMCS can stop the login session. Common misconfigurations include:

  • PHP session support is disabled.
  • The session auto_start setting is disabled.
  • The session save_path value is not writable.

Configuration > System Health can detect these misconfigurations.

 

However, Configuration > System Health cannot detect misconfigurations in which the session gc-maxlifetime value is too low. The default PHP session.gc-maxlifetime value is 1440 seconds.

Solutions

For help to resolve a PHP session issue, see Resolving PHP Session Support Attention Items on the System Health Status Page.

 

For help to resolve a maxlifetime issue, see Increasing the time until logout (login session length).

 

WHMCS can store login session data in the MySQL® database instead of on the filesystem. Switching to  database session storage can work around such limitations. For more information, see Database Sessions.

A Proxy/CDN Misconfiguration

If your server is behind a proxy server or CDN, a misconfiguration can break IP address detection and cause the system to log clients out.

To troubleshoot this, review the Admin Log at Configuration > System Logs.

Observe the IP addresses that the system logged against a single admin. If the IP address displays an internal IP address and not your connection's public IP address, the server could be behind a proxy or CDN.

If the logs show different IP addresses, it may indicate a misconfiguration with the proxy or CDN. 

For example:

Admin Log Screenshot showing IP address

Clients may report that their IP address does not reflect their connection's public IP address on the Checkout page of the shopping cart. 

For example:

Checkout Page screenshot showing IP address

Solutions

WHMCS checks for the below HTTP headers to determine the visitor's IP address. If an IP address is available and is not a local address, the system will use the first valid value as the client's IP address for the shopping cart, client details, and logs. This applies to both IPv4 and IPv6 connections.

Work with your server administrator or hosting provider to configure one or more of these HTTP headers to forward a visitor's IP address to PHP:

  • HTTP_CLIENT_IP
  • HTTP_X_FORWARDED_FOR
  • HTTP_X_FORWARDED
  • HTTP_X_CLUSTER_CLIENT_IP
  • HTTP_FORWARDED_FOR
  • HTTP_FORWARDED

If none of these headers are available, WHMCS will fall back to the value from REMOTE_ADDR.

 

Configure WHMCS with details of your proxy server configuration and the HTTP header that WHMCS will use to detect the visitor's IP address. For more information, see Trusted Proxy Settings.

A Visitor's IP Address Changed

If a visitor's IP address changes between loading the page and requesting the next page or submitting a form, the system will log them out. This is a security measure to protect against session hijacking.

Some internet connections (for example, mobile, 3G, 4G, or 5G) may change IP addresses more frequently than a  fixed-line connection.

Review your HTTP server access logs and make sure client's IP address is consistent as they browse around your website. A frequently-changing IP address for a single visitor can confirm this.

Solutions

Ask the affected visitor to use a fixed-line connection with a more consistent IP address assignment.

 

Check Disable Admin Password Reset in the Security tab at Configuration > System Settings > General Settings. For more information, see Security Tab.

A Visitor Using a VPN

A VPN connection will change a visitor's IP address (for example, during connection or disconnection or when changing between regions). Some VPN providers will change a visitor's IP address automatically without the user's knowledge.

Solutions

Ask the user to use a connection with a consistent IP address assignment.