Your software
My Mautic version is: 3.2.2
My PHP version is: 7.3.20
My Database type and version is: MySQL 8.0.19
Your problem
My problem is: We have recently “gone live” with Mautic and ever since going live we are constantly being logged out of the Mautic UI, which wasn’t happening before. It is on the same install, it is just that it is now receiving “live” traffic to track, whereas previously it was only “test” traffic from our test website. It is almost like the increase in traffic to Mautic has somehow affected the logged-in status of users of the Mautic UI. The “keep me logged in login” option on the login page also appears to have no effect.
The other issue is when you get logged out, e.g. x time idol, when you then click something in the UI, e.g. try to go to a section, nothing happens for the user. I would expect it to refresh you back to the login screen, but this only happens if you refresh the whole page, e.g. F5 (Windows) / Cmd+R (Mac).
We are running on the Docker version of Mautic if that makes any difference.
These errors are showing in the log: No errors in logs.
So a bit more digging and I think I see the issue, but don’t know why it has only started since we when live. Firstly, the not being sent back to the login screen appears to because the response head to the XHR request is sending a location header with http instead of https:
Location: http://mautic.mysite.com/s/login
Which causes a mixed content error in the browser:
Mixed Content: The page at 'https://mautic.mysite.com/s/dashboard' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://mautic.mysite.com/s/login'. This request has been blocked; the content must be served over HTTPS.
Secondly, the cookie that appears to be responsible for maintaining the login is set to be a “session” cookie, so obviously expires when the browser thinks the “session” is over, ticking the “keep me logged in login” option doesn’t set any additional cookies.
Something has changed here, and we’re 100% sure it wasn’t doing this before, but I think the “going live” is just coincidence. Nothing at all with Mautic changed between testing and going live, all we did was add the Mautic tags to the live site.
So I’ve managed to solve one of these two issues. By adding the following to the virtual host in Apache on the docker container:
Header edit Location ^http://(.*)$ https://$1
To change the Location from HTTP to HTTPS when it is sent back. This has resolved the issue of not being sent back to the login screen when you have been logged out, which at least gives a better user experience as they now know they have been logged out.