[serious] Session invalid or expired

[seansan]

I have seen this bug before and nobody was bale to reproduce - but I have a lot of users complaining about "session invalid or expired" error.

There is something wrong in the methology used for session verification + login. It seems that when a user is logging in (and has an expired session cookie from earlier that day) - that first the session is checked and the login does not override this by removing the old cookies and setting new ones for the current session.

When I have time I can digg deeper in the code - but please don't close this issue, becuase it is indeed one that occurs (and disables the use of roundcube at all)

[seansan]

This is the dump of the session DB (with no users online)

-- phpMyAdmin SQL Dump
-- version 2.6.4-pl3
-- http://www.phpmyadmin.net
-- 

-- --------------------------------------------------------

-- 
-- Tabel structuur voor tabel `session`
-- 

CREATE TABLE `session` (
  `sess_id` varchar(40) NOT NULL default '',
  `created` datetime NOT NULL default '0000-00-00 00:00:00',
  `changed` datetime NOT NULL default '0000-00-00 00:00:00',
  `ip` varchar(15) NOT NULL default '',
  `vars` text NOT NULL,
  PRIMARY KEY  (`sess_id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;

-- 
-- Gegevens worden uitgevoerd voor tabel `session`
-- 

INSERT INTO `session` VALUES ('cc0d15ce5b5cb85081fd0401e5adc8f7', '2007-03-20 17:03:36', '2007-03-20 17:03:36', '170.252.248.193', 'user_lang|s:5:"en_US";auth_time|i:1174406616;task|s:4:"mail";');
INSERT INTO `session` VALUES ('b76ad81275e8def5f1ff928dad275b59', '2007-03-20 14:22:10', '2007-03-20 14:22:10', '170.252.72.61', 'user_lang|s:5:"en_US";auth_time|i:1174396930;task|s:4:"mail";');
INSERT INTO `session` VALUES ('e80c6f85627380c0b1dac7a741f29996', '2007-03-20 17:08:06', '2007-03-20 17:08:06', '170.252.248.193', 'user_lang|s:5:"en_US";auth_time|i:1174406886;task|s:4:"mail";');
INSERT INTO `session` VALUES ('5af51ab4863299b234d91fe5f9b193be', '2007-03-20 17:08:26', '2007-03-20 17:49:59', '170.252.72.61', 'user_lang|s:5:"en_US";auth_time|i:1174409339;task|s:4:"mail";user_prefs|a:2:{s:16:"message_sort_col";s:4:"date";s:18:"message_sort_order";s:4:"DESC";}user_id|s:1:"1";imap_host|s:9:"localhost";imap_port|i:143;imap_ssl|N;username|s:4:"sean";password|s:12:"RQKAmyin0nE=";login_time|i:1174406911;mbox|s:5:"INBOX";sort_col|s:4:"date";sort_order|s:4:"DESC";last_auth|i:1174408982;');
INSERT INTO `session` VALUES ('1fb5b3edc9af30e34797b26e42649972', '2007-03-20 13:35:18', '2007-03-20 13:39:50', '77.160.13.11', 'user_lang|s:5:"en_US";auth_time|i:1174394118;task|s:4:"mail";user_prefs|a:2:{s:16:"message_sort_col";s:4:"date";s:18:"message_sort_order";s:4:"DESC";}user_id|s:1:"3";imap_host|s:9:"localhost";imap_port|i:143;imap_ssl|N;username|s:5:"janet";password|s:12:"m66UVo9Aj54=";login_time|i:1174394126;mbox|s:5:"INBOX";sort_col|s:4:"date";sort_order|s:4:"DESC";compose|a:1:{s:2:"id";s:23:"187992231845ffd563811e5";}');

[crichardson]

I have seen this issue before and the main cause that i have noticed is that those getting it are aol users and using the aol web brower which will give you that exact error message ... it is is issue with aol browers as i have seen this happen with other applications we run and that brower... we tell them to use ie instead and it fixes the problem.

[fourat.zouari]

Hello seansan,
Can you please provide the 'steps-to-reproduce' so i can debug with you.
Thanks

[thomasb]

Duplicate of #1483951

[seansan]

This is not a duplicate - because it does not happen when composing (ofcourse it is related to session).

I have user who maybe have never accessed roundcube, or have done so, but they receive the intermittent error as described above.

I have cleared sesssion table, cleared local cookies - and still the error is present.

I dont know how to reproduce - I actually traveled to the user (nearby) and tried debugging, but is is not working. I have the idea that it has something to do with security setting - where cookies have limited lifetime (and this is not detected by roundcube). I have also had situations where the sessid, but no the sessauth cookie was present

[thomasb]

I've never heard of security settings that remove cookies before the browser quits... Probably an IP-check issue if your users use proxies or DHCP servers that change the client IP every few minutes. You can disable IP checks in RoundCube config.

I know this is serious but if I cannot reproduce it, it's impossible for me to fix it.

[mdev]

I just encountered this problem and the problem was that the database server did not have it's timezone configured correctly. It was using GMT, while the webserver uses (correct) GMT-9. Adjusting the timezone on the database server then restarting (in my case) postgresql, fixed all.

The problem is worse if you're ahead of GMT (like the original poster is), because the "delete" cookie will be sent with timestamp an hour in the future, so it does not expire.

The problem can be reproduced and debugged properly by adjusting database server timezone and setting your browser to prompt on cookies.

Maybe the timezone could be checked in the installer?