Roundcube Community Forum

 

Session authentication failed

Started by sim, June 18, 2014, 12:25:06 PM

Previous topic - Next topic

sim

Hello,

Hope somebody could shed some light.

It seems session is not being kept alive when user is on plugin pages. I can see ajax requests firing, they look same as in the mail page.
Only mail page seems to issue new roundcube_sessauth cookies from time to time.

Now I cannot figure out why session is kept alive when at the mail page, but not on the plugin pages.

Looking at the function check_auth()

$result = IP CHECK;
if ($result && $this->_mkcookie($this->now) != $this->cookie)


How can just made cookie hash be same as sent from computer some time ago?

Running 1.0.1

Thank you.

sim

I have tried logging why this function fails:

Quote[18-Jun-2014 19:14:40 Europe/Helsinki] IP check was OK, _mkcookie: S454546b71d95a622e082b88d81f03c28a2dc3dad != Sb8218ee4b445c3bae3bef06e0f9add8fe9b98def
[18-Jun-2014 19:15:41 Europe/Helsinki] IP check was OK, _mkcookie: S31a853ef771d4f02b5c8be89b3dfb416e8f1892e != S454546b71d95a622e082b88d81f03c28a2dc3dad
[18-Jun-2014 19:16:41 Europe/Helsinki] IP check was OK, _mkcookie: Sb3fd67a0ae71f80afd4d542c15c8f771a6c276d1 != S31a853ef771d4f02b5c8be89b3dfb416e8f1892e
[18-Jun-2014 19:17:41 Europe/Helsinki] IP check was OK, _mkcookie: Sb0b9bf404c99c4e092abaae1c7d4b4b5766954a5 != Sb3fd67a0ae71f80afd4d542c15c8f771a6c276d1

list goes on and on, just new cookie from _mkcookie is not the same as current.  Why is it happening?


sim

I understand this is open source project, but common, developers, any help would be appreciated!

Thanks!

sim

This must be a bug, the way function is written:

    function check_auth()
    {
        $this->cookie = $_COOKIE[$this->cookiename];
        $result = $this->ip_check ? rcube_utils::remote_addr() == $this->ip : true;

        if (!$result) {
            $this->log("IP check failed for " . $this->key . "; expected " . $this->ip . "; got " . rcube_utils::remote_addr());
        }

        if ($result && $this->_mkcookie($this->now) != $this->cookie) {
            $this->log("Session auth check failed for " . $this->key . "; timeslot = " . date('Y-m-d H:i:s', $this->now));
            $result = false;
           
            // Check if using id from a previous time slot
            for ($i = 1; $i <= 2; $i++) {
                $prev = $this->now - ($this->lifetime / 2) * $i;
                if ($this->_mkcookie($prev) == $this->cookie) {
                    $this->log("Send new auth cookie for " . $this->key . ": " . $this->cookie);
                    $this->set_auth_cookie();
                    $result = true;
                }
            }
        }

        if (!$result) {
            $this->log("Session authentication failed for " . $this->key
                . "; invalid auth cookie sent; timeslot = " . date('Y-m-d H:i:s', $prev));
        }

        return $result;
    }


Quoteif ($result && $this->_mkcookie($this->now) != $this->cookie) {
stored cookie will never be the same and just now generated, thus system will always generate errors:

Quote[2014-06-26 15:55:51]: Session auth check failed for 7cf1fac0a882ab5da8cf882ebda7ed41; timeslot = 2014-06-26 15:55:00
[2014-06-26 15:55:51]: Send new auth cookie for 7cf1fac0a882ab5da8cf882ebda7ed41: S8f0f0174c3c9aac327fa962baa1882d24467661c
[2014-06-26 16:25:01]: Session auth check failed for 7cf1fac0a882ab5da8cf882ebda7ed41; timeslot = 2014-06-26 16:25:00
[2014-06-26 16:25:01]: Session authentication failed for 7cf1fac0a882ab5da8cf882ebda7ed41; invalid auth cookie sent; timeslot = 2014-06-26 16:15:00
[2014-06-26 16:45:31]: Session auth check failed for dc3f10f6ea260dd1e71539af384e299a; timeslot = 2014-06-26 16:45:00
[2014-06-26 16:45:31]: Send new auth cookie for dc3f10f6ea260dd1e71539af384e299a: S2063e42228ee17774891201c18734edbe23a219e
[2014-06-26 16:50:04]: Session auth check failed for dc3f10f6ea260dd1e71539af384e299a; timeslot = 2014-06-26 16:50:00
[2014-06-26 16:50:04]: Send new auth cookie for dc3f10f6ea260dd1e71539af384e299a: S1cd940b2d88a6ef19cad01d2d253a01473f57564
[2014-06-26 16:55:51]: Session auth check failed for dc3f10f6ea260dd1e71539af384e299a; timeslot = 2014-06-26 16:55:00
[2014-06-26 16:55:51]: Send new auth cookie for dc3f10f6ea260dd1e71539af384e299a: S113a4835930dad89878890b4647253635a46820f
[2014-06-26 17:05:05]: Session auth check failed for a1ac234a161014e842f78d03b65b6ac9; timeslot = 2014-06-26 17:05:00
[2014-06-26 17:05:05]: Send new auth cookie for a1ac234a161014e842f78d03b65b6ac9: S95f1a61486ffc58b08ec434df1f5ad1b7c1a8646
[2014-06-26 17:10:19]: Session auth check failed for a1ac234a161014e842f78d03b65b6ac9; timeslot = 2014-06-26 17:10:00
[2014-06-26 17:10:19]: Send new auth cookie for a1ac234a161014e842f78d03b65b6ac9: Sc4e20c1cca5257444f6d7c31f536f0fbd16ac946
[2014-06-26 17:20:52]: Session auth check failed for fc4fc0e5620876110db2a1dfbb445286; timeslot = 2014-06-26 17:20:00
[2014-06-26 17:20:52]: Send new auth cookie for fc4fc0e5620876110db2a1dfbb445286: S94a5b1614ffc5fefb55b957da829156e7761bbcc
[2014-06-26 19:00:38]: Session auth check failed for e87e792db3efe4fc52dc43afebc899f8; timeslot = 2014-06-26 19:00:00
[2014-06-26 19:00:38]: Send new auth cookie for e87e792db3efe4fc52dc43afebc899f8: S0d280d67d5a05fcee1464fa0acf7f17362097fdb
[2014-06-26 19:05:40]: Session auth check failed for e87e792db3efe4fc52dc43afebc899f8; timeslot = 2014-06-26 19:05:00
[2014-06-26 19:05:40]: Send new auth cookie for e87e792db3efe4fc52dc43afebc899f8: S4436dafb5786818fc50fb08f23bb407538371873

And will recover by sending new auth cookie.

And if you are on some plugin page, it will not make calls to the MAIL page, you'll never get new session cookies issued, and you miss _mkcookie($prev) previous cookie,  thus logging you out when you try to access mail:
Quoteinvalid auth cookie sent; timeslot = 2014-06-26 16:15:00

Crazy that nobody even cares to respond...