processwire
ProcessWire Bug Report: Session Logout on Required Empty URL Fields
Bug summary by Claude.AI
ProcessWire Version: 3.0.251
PHP Version: 8.3
MySQL Version: 5.7
Issue Summary
When saving a page with a required URL field that is left empty, ProcessWire logs out the current user session instead of showing the validation error message. This occurs when using strict session fingerprinting (value 14).
Steps to Reproduce
- Set
$config->sessionFingerprint = 14;in config.php - Create a page template with a URL field set as "required"
- Edit a page using this template
- Leave the URL field empty
- Click "Save"
- Expected: Validation error "URL field is required"
- Actual: User is logged out and redirected to login page
Technical Details
Session Configuration:
$config->sessionFingerprint = 14; // Fingerprints IP + User Agent
$config->sessionChallenge = true;
$config->sessionName = 'wire';
Observed Behavior:
- Session ID changes between save action and redirect
- Example:
e1o1vpanjqavlfk71r88ijcnb2→v2t7c8hbiu3l6gubsl616kj9q2 - Only occurs with URL fields, not with other field types
- Only occurs when field is required AND empty
- Problem disappears when changing sessionFingerprint to 8
Environment
- 107 modules installed including:
- SessionHandlerDB 0.0.6
- FormSaveReminder 1.0.6
- ProCache 4.0.5
- FormBuilder 0.5.5
Solution
Change session fingerprinting to not include IP address:
// In /site/config.php
$config->sessionFingerprint = 8; // Only fingerprint User Agent, not IP
Root Cause Analysis
The validation process for required empty URL fields triggers a session regeneration. When combined with IP-based fingerprinting (values 2, 4, 10, 12, or 14), this causes session loss - possibly due to:
- Load balancer/proxy changing apparent IP during the request
- URL validation making external requests that alter the request context
- Security checks specific to URL fields interfering with session management
Recommendation
Either:
- Document that sessionFingerprint values including IP (10, 12, 14) may cause issues with form validation
- Fix the underlying issue where URL field validation triggers inappropriate session regeneration
- Default to sessionFingerprint = 8 for new installations (as suggested in GitHub issue #234)
Additional Notes
- Problem is specific to URL field type (
InputfieldURL) - Using sessionFingerprint = 8 (User Agent only) resolves the issue completely
- This aligns with the suggestion to disable sessionFingerprint by default due to dynamic IPs being very common
Reported by: Carl Erling (tbba)
Date: July 28, 2025
Related: [GitHub Issue #234](https://github.com/processwire/processwire-issues/issues/234)
@tbba I can't reproduce the issue here. If your IP address really is changing all the time, then that's correct that you'd want to disable or adjust the session fingerprint. But if it's only occurring when saving a blank required URL field, then I suspect that the issue is you are losing the session due to some output occurring before the cookie headers get sent, perhaps a PHP deprecation notice or something like that. You could check by watching the Network tab in your browser tools, clicking on the primary/original request, and look at the "response" tab. There might be something in there like PHP error/warning/notice, and that should point to the source of the issue.
Another thing to look at would be your session name "wire". If you've got multiple installations running on the same host name, you'll want to be sure to give them different session names, so they aren't all "wire" . Any access to one and then the other would cause you to automatically logout, unless they have different session names.
