Silverstripe Version:
Hi,
When viewing CMS page in stage mode, after using DevTools (to check responsivness etc), after refreshing, you are being forced to login again. Pretty annoying for us as developers, but now we have also the question of a client of we can fix this.
It happens in both SS3 and SS4 and I am curious is this standard behavior as it should be or a bug?
What I think is happening here is that you are picking a device to emulate in Dev Tools (e.g. iPhone 8 / Pixel 2) and that is changing the user-agent in subsequent network requests. Silverstripe is noticing that the user-agent has changed and is saying “Oop - could be a hijacked session, better close this out”.
If an attacker knew the right user-agent to use with a given PHPSESSID cookie they could spoof this of course (just like you are doing when you use Dev Tools), but it’s good to have this protection in case they don’t.
If you don’t use device emulation (use ‘Responsive’ preset) I think you’ll find you stay logged in.
BTW you can also add your own presets to emulate device screen dimensions, but not spoof the user agent.
If this is a user agent problem, you could try disabling the user agent check on your dev environment.