Concrete on kubernetes cluster auth issue

Using Concrete / Help
1

Concrete: 9.2.2
PHP: 8.2.1

We’ve got our site out and deployed on a kubernetes cluster behind an application load balancer. The site all works fine for the most part. The main issue we’re having is with site access and auth being very sporadic.

  • Sometimes you can login fine other times you get a ‘User is not registered. Check your authentication controller.’. A refresh or 2 later you’re able to login fine (using copy paste for username/password)
  • After authenticating sometimes the admin bar will show and sometimes it won’t if it does show after navigating to another page it will disappear. Sometimes you can get it back after refreshing a few times or going back to /login for it to tell you you’re already logged in.
  • When trying to edit a block sometimes you get to edit it, sometimes you get a permissions issue
  • The oddities go on a bit more but all in all it is a major frustration when trying to edit content

We’ve already set some settings regarding the session that allows us to login at all (prior you could not login)

Are there any other config options we should review in order to get this stable?

'security' => [
        'trusted_proxies' => [
            'headers' => 31,
            'ips' => [
            ],
        ],
        'session' => [
            'invalidate_on_ip_mismatch' => false,
            'invalidate_on_user_agent_mismatch' => false,
            'invalidate_inactive_users' => [
                'enabled' => false,
            ],
        ],
    ],

Thanks in advance.

2

How are you handling session?
You probably need to use Redis to store the session.

3

Also disabling invalidate_on_ip_mismatch and invalidate_on_user_agent_mismatch is not best practice.

If you know the CIDR range of load balancer, you should set the CIDR as trusted_proxy instead of disabling invalidate_on_ip_mismatch

4

Thanks for the reply. The dev ensured me that they were using the database for sessions. However, after a bit of digging I found out it was not. I believe that was the issue and things appear a bit more stable now from what I can tell.

1 Like
5

I’ll review and do some more testing now that we’ve resolved the session issue above but from the initial testing we were still having issues with sessions with those enabled.

1 Like