Opened 6 years ago

Closed 6 years ago

Last modified 4 years ago

#1484299 closed Bugs (invalid)

[serious] Session invalid or expired

Reported by: seansan Owned by: fourat.zouari
Priority: 5 Milestone: 0.1-rc1
Component: Client Scripts Version: 0.1-beta
Severity: major Keywords: session invalid expired login
Cc: mdev@…

Description

I have seen this bug before and nobody was bale to reproduce - but I have a lot of users complaining about "session invalid or expired" error.

There is something wrong in the methology used for session verification + login. It seems that when a user is logging in (and has an expired session cookie from earlier that day) - that first the session is checked and the login does not override this by removing the old cookies and setting new ones for the current session.

When I have time I can digg deeper in the code - but please don't close this issue, becuase it is indeed one that occurs (and disables the use of roundcube at all)

Change History (9)

comment:1 Changed 6 years ago by seansan

  • Summary changed from Session invlaid or expired to [serious] Session invalid or expired

comment:2 Changed 6 years ago by seansan

This is the dump of the session DB (with no users online)

-- phpMyAdmin SQL Dump
-- version 2.6.4-pl3
-- http://www.phpmyadmin.net
-- 

-- --------------------------------------------------------

-- 
-- Tabel structuur voor tabel `session`
-- 

CREATE TABLE `session` (
  `sess_id` varchar(40) NOT NULL default '',
  `created` datetime NOT NULL default '0000-00-00 00:00:00',
  `changed` datetime NOT NULL default '0000-00-00 00:00:00',
  `ip` varchar(15) NOT NULL default '',
  `vars` text NOT NULL,
  PRIMARY KEY  (`sess_id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;

-- 
-- Gegevens worden uitgevoerd voor tabel `session`
-- 

INSERT INTO `session` VALUES ('cc0d15ce5b5cb85081fd0401e5adc8f7', '2007-03-20 17:03:36', '2007-03-20 17:03:36', '170.252.248.193', 'user_lang|s:5:"en_US";auth_time|i:1174406616;task|s:4:"mail";');
INSERT INTO `session` VALUES ('b76ad81275e8def5f1ff928dad275b59', '2007-03-20 14:22:10', '2007-03-20 14:22:10', '170.252.72.61', 'user_lang|s:5:"en_US";auth_time|i:1174396930;task|s:4:"mail";');
INSERT INTO `session` VALUES ('e80c6f85627380c0b1dac7a741f29996', '2007-03-20 17:08:06', '2007-03-20 17:08:06', '170.252.248.193', 'user_lang|s:5:"en_US";auth_time|i:1174406886;task|s:4:"mail";');
INSERT INTO `session` VALUES ('5af51ab4863299b234d91fe5f9b193be', '2007-03-20 17:08:26', '2007-03-20 17:49:59', '170.252.72.61', 'user_lang|s:5:"en_US";auth_time|i:1174409339;task|s:4:"mail";user_prefs|a:2:{s:16:"message_sort_col";s:4:"date";s:18:"message_sort_order";s:4:"DESC";}user_id|s:1:"1";imap_host|s:9:"localhost";imap_port|i:143;imap_ssl|N;username|s:4:"sean";password|s:12:"RQKAmyin0nE=";login_time|i:1174406911;mbox|s:5:"INBOX";sort_col|s:4:"date";sort_order|s:4:"DESC";last_auth|i:1174408982;');
INSERT INTO `session` VALUES ('1fb5b3edc9af30e34797b26e42649972', '2007-03-20 13:35:18', '2007-03-20 13:39:50', '77.160.13.11', 'user_lang|s:5:"en_US";auth_time|i:1174394118;task|s:4:"mail";user_prefs|a:2:{s:16:"message_sort_col";s:4:"date";s:18:"message_sort_order";s:4:"DESC";}user_id|s:1:"3";imap_host|s:9:"localhost";imap_port|i:143;imap_ssl|N;username|s:5:"janet";password|s:12:"m66UVo9Aj54=";login_time|i:1174394126;mbox|s:5:"INBOX";sort_col|s:4:"date";sort_order|s:4:"DESC";compose|a:1:{s:2:"id";s:23:"187992231845ffd563811e5";}');


comment:3 Changed 6 years ago by crichardson

I have seen this issue before and the main cause that i have noticed is that those getting it are aol users and using the aol web brower which will give you that exact error message ... it is is issue with aol browers as i have seen this happen with other applications we run and that brower... we tell them to use ie instead and it fixes the problem.

comment:4 Changed 6 years ago by fourat.zouari

  • Owner set to fourat.zouari
  • Status changed from new to assigned

Hello seansan,
Can you please provide the 'steps-to-reproduce' so i can debug with you.
Thanks

comment:5 Changed 6 years ago by thomasb

  • Resolution set to duplicate
  • Status changed from assigned to closed
  • Version changed from 0.1-rc1 to 0.1-beta

Duplicate of #1483951

comment:6 Changed 6 years ago by seansan

  • Resolution duplicate deleted
  • Status changed from closed to reopened

This is not a duplicate - because it does not happen when composing (ofcourse it is related to session).

I have user who maybe have never accessed roundcube, or have done so, but they receive the intermittent error as described above.

I have cleared sesssion table, cleared local cookies - and still the error is present.

I dont know how to reproduce - I actually traveled to the user (nearby) and tried debugging, but is is not working. I have the idea that it has something to do with security setting - where cookies have limited lifetime (and this is not detected by roundcube). I have also had situations where the sessid, but no the sessauth cookie was present

comment:7 Changed 6 years ago by thomasb

I've never heard of security settings that remove cookies before the browser quits... Probably an IP-check issue if your users use proxies or DHCP servers that change the client IP every few minutes. You can disable IP checks in RoundCube config.

I know this is serious but if I cannot reproduce it, it's impossible for me to fix it.

comment:8 Changed 6 years ago by seansan

  • Resolution set to invalid
  • Status changed from reopened to closed

comment:9 Changed 4 years ago by mdev

  • Cc mdev@… added

I just encountered this problem and the problem was that the database server did not have it's timezone configured correctly. It was using GMT, while the webserver uses (correct) GMT-9. Adjusting the timezone on the database server then restarting (in my case) postgresql, fixed all.

The problem is worse if you're ahead of GMT (like the original poster is), because the "delete" cookie will be sent with timestamp an hour in the future, so it does not expire.

The problem can be reproduced and debugged properly by adjusting database server timezone and setting your browser to prompt on cookies.

Maybe the timezone could be checked in the installer?

Note: See TracTickets for help on using tickets.