Support

I still think it's a session issue. When you are working on a page there is no communication to the server. If it takes you longer than the session expiration time you have configured in your Global Configuration to make the next server communication (AJAX or visiting another page) your session expires. Since you're trying to access a page without the Secret URL Parameter you get locked out. Remember that the session expiration is performed by Joomla itself, not Admin Tools. We cannot modify core code and we cannot interfere in the way Joomla handles its session. It'd be considered a core hack and would get all of our software removed from the Joomla Extensions Directory.

The solution as I've been saying for the past ten years is to increase your session expiration time to something longer than it usually takes you to work on a page. The default Joomla session timeout of 15' is too short to be practical. Try an hour or an hour or more.

Further to that, have you enabled the session cleaner feature in the System - Admin Tools plugin? If so, your session may expire when this runs. Disable this feature. This feature is a bandaid to help with some servers which crash the Joomla sessions table every so often since it grows really big really fast.

Also, I have long said that the Secret URL Parameter is not a good way to maintain security of your site's administrator. The best way is using the Administrator directory password protection feature since the security check in this case takes place very early in the request handling by the web server instead of having to load Joomla, boot up its extensions, connect to the database etc. Further to that, use Two Factor Authentication, either the built-in Joomla one or Akeeba LoginGuard (the latter is what I had wanted to contribute to Joomla but was rejected because of bullshit backwards compatibility arguments – Akeeba LoginGuard proves that it's not only feasible, it doesn't even affect backwards compatibility).

Regarding the comment about being beginner friendly, please note that we have long implemented the Rescue URL feature. You don't have to use FTP and rename files. You just need to visit the URL shown to you with your Super User email address and click on the link that's emailed to you to temporarily disable Admin Tools' protections against your IP address.

To be very and perfectly clear: Admin Tools' Secret URL Parameter uses Joomla's session to store a flag, a special value that means "all clear, this session has passed the Secret URL Parameter test". If Joomla expires or resets the session for any reason then the flag disappears. For all Admin Tools knows you have not gone through the Secret URL Parameter validation, therefore it needs to block you.

As a result, your problem is with Joomla, not Admin Tools. Even if you disable the Secret URL Parameter you will still be getting logged out of your site's backend. The question is why it's happening.

The only way Admin Tools can contribute to the problem is if the “Enable Session Cleaner” option is set to Yes in the System - Admin Tools plugin. Can you please check that? If it's enabled please set it to No. Joomla has an inconsistent API in its session handlers. Asking it to garbage collect the sessions ends up in many cases booting everyone out of the site. Again, that's a Joomla problem, not an Admin Tools problem.

If that's not the case, Joomla 3 has the CLI tool garbagecron.php. If you have created a CRON job for it among the other things it will do is run the same core Joomla API code as our Session Cleaner. As I said, this may end up booting everyone from the site.

Speaking of Joomla and session handlers, the database session handler obviously uses the Joomla database to store session information. It has two limitations. One, the maximum size of session data it can handle and two, it still requires the PHP session system to work properly.

The former means that if the session data exceeds a certain amount it gets corrupt and the session is effectively expired immediately. This may happen when a plugin, module or component tries to store too much data in the session. Editing really long pieces of information like really big articles may inadvertently trigger that issue.

The latter also affects the "native" session handler. PHP stores its session IDs in files on the server. If something on the server itself is periodically going through that folder, deleting the files, it might end up killing your sessions. This is important especially on servers which have an unwritable session path and you had to reconfigure it in your .user.ini, php.ini or .htaccess file. If you use Joomla's tmp folder, a very common and understandable mistake, you will end up in a situation where whenever your host, you or a plugin cleans the Joomla cache it immediately boots everyone out of your site.

Furthermore, Joomla has a workaround for a session exploit in the core. It is possible to send a request which tries to add certain kind of data in the session (like null bytes) which will trigger this protection. When the protection is triggered the session is immediately terminated, logging you out.

Finally, there's a very ill-though feature that's a massive problem for security AND causes this kind of inexplicable logouts: shared sessions. When you do that, Joomla tries to link the frontend and backend sessions. The problem is that we're still talking about two separate web applications with separate sessions which try to figure out which session tells the truth. I know of many ways this can get wonky and end up logging you out accidentally or end up blocking you inadvertently. None of these have anything to do with our code, they only have to do with core Joomla code. If you value your sanity and the security of your site DO NOT use shared sessions.