ProcessWire Bug Report: Session Logout on Required Empty URL Fields

[tbba]

Bug summary by Claude.AI

ProcessWire Version: 3.0.251
PHP Version: 8.3
MySQL Version: 5.7

Issue Summary

When saving a page with a required URL field that is left empty, ProcessWire logs out the current user session instead of showing the validation error message. This occurs when using strict session fingerprinting (value 14).

Steps to Reproduce

1. Set $config->sessionFingerprint = 14; in config.php
2. Create a page template with a URL field set as "required"
3. Edit a page using this template
4. Leave the URL field empty
5. Click "Save"
6. Expected: Validation error "URL field is required"
7. Actual: User is logged out and redirected to login page

Technical Details

Session Configuration:

$config->sessionFingerprint = 14; // Fingerprints IP + User Agent
$config->sessionChallenge = true;
$config->sessionName = 'wire';

Observed Behavior:

• Session ID changes between save action and redirect
• Example: e1o1vpanjqavlfk71r88ijcnb2 → v2t7c8hbiu3l6gubsl616kj9q2
• Only occurs with URL fields, not with other field types
• Only occurs when field is required AND empty
• Problem disappears when changing sessionFingerprint to 8

Environment

• 107 modules installed including:
  • SessionHandlerDB 0.0.6
  • FormSaveReminder 1.0.6
  • ProCache 4.0.5
  • FormBuilder 0.5.5

Solution

Change session fingerprinting to not include IP address:

// In /site/config.php
$config->sessionFingerprint = 8; // Only fingerprint User Agent, not IP

Root Cause Analysis

The validation process for required empty URL fields triggers a session regeneration. When combined with IP-based fingerprinting (values 2, 4, 10, 12, or 14), this causes session loss - possibly due to:

• Load balancer/proxy changing apparent IP during the request
• URL validation making external requests that alter the request context
• Security checks specific to URL fields interfering with session management

Recommendation

Either:

1. Document that sessionFingerprint values including IP (10, 12, 14) may cause issues with form validation
2. Fix the underlying issue where URL field validation triggers inappropriate session regeneration
3. Default to sessionFingerprint = 8 for new installations (as suggested in GitHub issue Disable sessionFingerprint by default #234)

Additional Notes

• Problem is specific to URL field type (InputfieldURL)
• Using sessionFingerprint = 8 (User Agent only) resolves the issue completely
• This aligns with the suggestion to disable sessionFingerprint by default due to dynamic IPs being very common

---

Reported by: Carl Erling (tbba)
Date: July 28, 2025
Related: [GitHub Issue #234](#234)