Author Topic: Session Expired  (Read 29798 times)

Offline Heritz

  • Jr. Member
  • **
  • Posts: 58
Re: Session Expired
« Reply #15 on: September 07, 2006, 12:05:22 AM »
Do you have the cookies enabled on your Firefox man?
Heritz

Offline entropy

  • Newbie
  • *
  • Posts: 1
Re: Session Expired
« Reply #16 on: September 07, 2006, 08:13:32 AM »
I'm not much of a coder so I cant contribute much, but I did find something interesting when I was trying to track down this problem. I tried continuously monitoring the session created in the database and noticed that shortly before the user gets punted out of roundcube the session completely disappears from the database. So something like 30 seconds later the browser notices this and logs them out. As soon as they hit the login page a new session is created. What makes it even more maddening is that it seems to be sporadic on some users, consistent to others, and totally non-existant to the rest. Thanks to all who are trying to fix this, it's really a pain but it's great that people are working at it. Does this help any?

[edit]For the record this happens in all browsers, with all cookies enabled, etc.[/edit]

Offline zuckerj

  • Newbie
  • *
  • Posts: 7
Re: Session Expired
« Reply #17 on: September 07, 2006, 05:44:19 PM »
FYI:

The timeout issue also happens to me while just viewing my inbox contents.

Jz.

Offline zuckerj

  • Newbie
  • *
  • Posts: 7
Re: Session Expired
« Reply #18 on: September 08, 2006, 02:43:14 PM »
Having a hard time figuring out what to modify in the code from reading this thread. I'm not a saavy programmer or anything, so I'm doing my best to understand the flow of this thread.

Is the behavior supposed to be that the browser will send keep alives every 1 minute resetting the counter for the session on the server? The session lifetime variable in the main.inc.php is set to something like 5 (or maybe 15) minutes so that if the browser is closed without logging out the session will expire on its own? Sounds reasonable, except, when composing an email is it possible to keep sending keep alives? I guess it is as it auto saves the post as we're typing.

If this is the case, has anyone determined what the fix is? I saw a fix mentioned, but then read someone saying that the fix changes the behavior away from the above.

The session expiring is a bit frustrating. If no one has an answer, I guess this hack of a programmer, ok, I'm not a programmer, jst a hack, will try to trace through the code. But please, if you know of a fix, save me, and the RoundCube world from the results of my prodding.

Jz.

Offline Heritz

  • Jr. Member
  • **
  • Posts: 58
Re: Session Expired
« Reply #19 on: September 18, 2006, 09:40:11 AM »
Quote from: zuckerj
Having a hard time figuring out what to modify in the code from reading this thread. I'm not a saavy programmer or anything, so I'm doing my best to understand the flow of this thread.

Is the behavior supposed to be that the browser will send keep alives every 1 minute resetting the counter for the session on the server? The session lifetime variable in the main.inc.php is set to something like 5 (or maybe 15) minutes so that if the browser is closed without logging out the session will expire on its own? Sounds reasonable, except, when composing an email is it possible to keep sending keep alives? I guess it is as it auto saves the post as we're typing.

If this is the case, has anyone determined what the fix is? I saw a fix mentioned, but then read someone saying that the fix changes the behavior away from the above.

The session expiring is a bit frustrating. If no one has an answer, I guess this hack of a programmer, ok, I'm not a programmer, jst a hack, will try to trace through the code. But please, if you know of a fix, save me, and the RoundCube world from the results of my prodding.

Jz.

Hi, yeah well I made a hack for this issue, and it actually works and you wont have any more issues with the session stuff. How it works? well if you set up in the config file 20 minutes, the session will expire exactly 20 minutes after you log in, so it means that the script will not reset the expiration time never.

It works for me great, its just a minor fix so you can try it and let me know if it works for you. Have fun!
Heritz

Offline rtenalio

  • Newbie
  • *
  • Posts: 3
Re: Session Expired
« Reply #20 on: January 13, 2007, 12:57:20 AM »
Quote from: Heritz
Actually, I think there is a problem with the code related to session auth. Sometimes and from some computers I dont get logged out, but from work and other places I got logged out. I made a modification to 2 files and now I have no more LOGOUT problems, sessions still expiring at the right time and the security is the same. Here is what you need to modify:

index.php
find... (line 177 to 178)
Code: [Select]
if (!rcmail_authenticate_session() ||
  ($CONFIG['session_lifetime'] && isset($SESS_CHANGED) && $SESS_CHANGED + $CONFIG['session_lifetime']*60 < mktime()))

replace for...
Code: [Select]
if (!rcmail_authenticate_session() ||
  ($_SESSION['auth_time'] + $CONFIG['session_lifetime']*60 < mktime()))

program/include/main.inc
find... and delete it (line 174 to 179)
Code: [Select]
// renew auth cookie every 5 minutes (only for GET requests)
 if (!$valid || ($_SERVER['REQUEST_METHOD']!='POST' && $now-$_SESSION['auth_time'] > 300))
  {
  $_SESSION['auth_time'] = $now;
  setcookie('sessauth', rcmail_auth_hash(session_id(), $now));
  }

Try it and let me know. Regards!

I used the fix posted by Heritz earlier in this thread and it stopped the session from timing out and sending me back to the login page. I am wondering if now that this is fixed is there a way to stop it from saving an auto-draft while you are composing a long message. I tested the fix by staying in the same message until it did an auto-draft twice. Now after I finally complete composing the message I have two seperate drafts of it. This is slightly annoying and I would rather it didn't save to the draft folder unless I tell it to.

A fix for this would be great but I can live with it if I really need to. I am not a programmer but I can follow great instructions like the fix posted by Heritz.

Thanks Heritz; have any ideas on the auto-draft question.

Offline Heritz

  • Jr. Member
  • **
  • Posts: 58
Re: Session Expired
« Reply #21 on: January 15, 2007, 09:31:40 AM »
Hello there,

Well, actually, I am not using this application anymore since I've noticed that it has many errors and problems at this time. I am waiting for the next major release to start using it again because I just can't afford all my clients reporting me errors and stuff.

I am sorry about not having any suggestion for you about the auto-draft thingy but I am pretty sure that someone in this forum will help you about it. Also, you can check the SVN repository to check if any SVN version has a fix for that issue.

Have a nice day! :)
Heritz

Offline Auctionhugh

  • Newbie
  • *
  • Posts: 1
Re: Session Expired
« Reply #22 on: February 05, 2007, 06:42:06 PM »
I have a user who is having this same problem.

They log in fine, but within 5 seconds they get a message that says "your session is invalid or expired." It then kicks them back out to the webmail login page.

However when I log in for them using the same username and password, it works fine with no logout.

Can someone please tell me if this issue has been resolved?

Offline polesoft

  • Newbie
  • *
  • Posts: 1
Re: Session Expired
« Reply #23 on: February 21, 2007, 06:29:03 PM »
It is not a great solution, but it seem to solve the problem.
I deactivate the auto draft save, changing the time in app.js (program/js) like this

 this.env.draft_autosave = 30000000;  // seconds

original value is 300 seconds.

Offline btcentral

  • Jr. Member
  • **
  • Posts: 26
Re: Session Expired
« Reply #24 on: March 14, 2007, 12:02:28 PM »
As I have no need for session expiration - I decided to come up with my own little "fix" for this issue - as I also encountered it.

This fix will stop the session from expiring automatically by stopping the function killing the session from being processed by the script.
It also disables the "keep alive" code provided, as I noticed that when this is processed too often it actually stops the feature working, at least on my server. Clicking "logout" still kills the session as it should do.

Note: make sure to click logout after finishing, otherwise you may encounter problems when using this!
This fixes this issue with roundcube on at least IE6 and Firefox v2.0.0.2


It requires editing two files, simply follow the instructions below.

Open program/js/app.js

goto line 285 and find:

Code: [Select]
 // start keep-alive interval
  this.start_keepalive();
  };


 // start interval for keep-alive/recent_check signal
 this.start_keepalive = function()
  {
  if (this.env.keep_alive && this.task=='mail' && this.gui_objects.messagelist)
   this._int = setInterval(this.ref+'.check_for_recent()', this.env.keep_alive * 1000);
  else if (this.env.keep_alive && this.task!='login')
   this._int = setInterval(this.ref+'.send_keep_alive()', this.env.keep_alive * 1000);
  }

replace with this:

Code: [Select]
 // start keep-alive interval
  //this.start_keepalive();
  //};


 // start interval for keep-alive/recent_check signal
 //this.start_keepalive = function()
 // {
 // if (this.env.keep_alive && this.task=='mail' && this.gui_objects.messagelist)
 //  this._int = setInterval(this.ref+'.check_for_recent()', this.env.keep_alive * 1000);
 // else if (this.env.keep_alive && this.task!='login')
 //  this._int = setInterval(this.ref+'.send_keep_alive()', this.env.keep_alive * 1000);
 // }

This will stop the keepalive/auto message checking functions. Although this may not be needed, I did so as I noticed sometimes it stopped checking for messages successfully if it was checking for messages via this function.

Open index.php

goto line 175 and find:

Code: [Select]
// check session and auth cookie
else if ($_action!='login' && $_SESSION['user_id'])
 {
 if (!rcmail_authenticate_session() ||
   ($CONFIG['session_lifetime'] && isset($SESS_CHANGED) && $SESS_CHANGED + $CONFIG['session_lifetime']*60 < mktime()))
  {
  $message = show_message('sessionerror', 'error');
  rcmail_kill_session();
  }
 }

replace with this:

Code: [Select]
// check session and auth cookie
else if ($_action!='login' && $_SESSION['user_id'])
 {
 if (!rcmail_authenticate_session() ||
   ($CONFIG['session_lifetime'] && isset($SESS_CHANGED) && $SESS_CHANGED + $CONFIG['session_lifetime']*60 < mktime()))
  {
  //$message = show_message('sessionerror', 'error');
  //rcmail_kill_session();
  }
 }

This stops roundcube killing the session, and displaying the session expiration message.

Hope this is useful to someone!
~Ben
http://www.btcentral.org.uk - Cheap, Top Quality Web-design.

Offline microUgly

  • Jr. Member
  • **
  • Posts: 15
Re: Session Expired
« Reply #25 on: April 03, 2007, 09:03:52 PM »
Thanks for the tip btcentral. Although I think your suggested commenting in app.js might cause errors because you commented out '};' which closes 'this.init = function()' starting on line 94.

I recommend only commenting out the line 'this.start_keepalive();'. You don't need to comment out the function when you comment out the only call to it.


Also, further to this issue, I looked in my error file and it's full of these errors:
Quote
[03-Mar-2007 21:37:10] PHP Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent in [...]/webmail/program/include/main.inc on line 89
[03-Mar-2007 21:37:10] PHP Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent in [...]/webmail/program/include/main.inc on line 89
[03-Mar-2007 21:37:10] PHP Warning: Cannot modify header information - headers already sent in [...]/microugly.com/webmail/program/include/main.inc on line 97
[03-Mar-2007 21:37:10] PHP Warning: Cannot modify header information - headers already sent in [...]/microugly.com/webmail/program/include/rcube_shared.inc on line 132

It seems that header information being sent early may be the overall cause of sessions not being set correctly. But I wouldn't know where to begin looking to find code that might be outputing information early. Are others seeing similiar error messages?

Offline Cutsie

  • Jr. Member
  • **
  • Posts: 21
Re: Session Expired
« Reply #26 on: April 12, 2007, 06:46:10 AM »
Ugh, I am still having errors with the thing telling me my session has expired! It only happened to me once or twice after I had thought I'd "fixed" it before with one of the solutions that was posted here (setting something to 0), but yesterday and today it happened to me several times, the last of which it didn't even save my draft even though the autodraft said it was saving it!

Do these entries in index.php have anything to do with this problem:

Code: [Select]
ini_set('session.gc_maxlifetime', 21600);
Code: [Select]
// increase maximum execution time for php scripts

// (does not work in safe mode)

@set_time_limit(120);

Code: [Select]
// not logged in -> set task to 'login

if (empty($_SESSION['user_id']))

 {

 if ($REMOTE_REQUEST)

  {

  $message .= "setTimeout(\"location.href='\"+this.env.comm_path+\"'\", 2000);";

  rcube_remote_response($message);

  }

 

 $_task = 'login';

 }




Or how about these in /program/js/app.js:

Code: [Select]
// default environment vars

 this.env.keep_alive = 60;    // seconds

 this.env.request_timeout = 180; // seconds

 this.env.draft_autosave = 300;  // seconds

Code: [Select]
// start interval for keep-alive/recent_check signal

 this.start_keepalive = function()

  {

  if (this.env.keep_alive && this.task=='mail' && this.gui_objects.messagelist)

   this._int = setInterval(this.ref+'.check_for_recent()', this.env.keep_alive * 1000);

  else if (this.env.keep_alive && this.task!='login')

   this._int = setInterval(this.ref+'.send_keep_alive()', this.env.keep_alive * 1000);  

  }

Code: [Select]
// use an image to send a keep-alive siganl to the server

 this.send_keep_alive = function()

  {

  var d = new Date();

  this.http_request('keep-alive', '_t='+d.getTime());

  };

Code: [Select]
// send periodic request to check for recent messages

 this.check_for_recent = function()

  {

  if (this.busy)

   {

   this.send_keep_alive();

   return;

   }



  this.set_busy(true, 'checkingmail');

  var d = new Date();

  this.http_request('check-recent', '_t='+d.getTime());

  };




Or this in /program/include/session.inc:

Code: [Select]
// garbage collecting function
function sess_gc($maxlifetime)
 {
 global $DB;

 // get all expired sessions
 $sql_result = $DB->query("SELECT sess_id
              FROM ".get_table_name('session')."
              WHERE ".$DB->unixtimestamp('now()')."-".$DB->unixtimestamp('changed')." > ?",
              $maxlifetime);
                 
 $a_exp_sessions = array();
 while ($sql_arr = $DB->fetch_assoc($sql_result))
  $a_exp_sessions[] = $sql_arr['sess_id'];

 
 if (sizeof($a_exp_sessions))
  {
  // delete session cache records
  $DB->query("DELETE FROM ".get_table_name('cache')."
        WHERE session_id IN ('".join("','", $a_exp_sessions)."')");
       
  // delete session records
  $DB->query("DELETE FROM ".get_table_name('session')."
        WHERE sess_id IN ('".join("','", $a_exp_sessions)."')");
  }

 // remove session specific temp dirs
 foreach ($a_exp_sessions as $key)
  rcmail_clear_session_temp($key);

 // also run message cache GC
 rcmail_message_cache_gc();

 return TRUE;
 }



I just don't want to touch anything and mess anything up!  :P

Offline r@burlco.org

  • Newbie
  • *
  • Posts: 9
Re: Session Expired
« Reply #27 on: April 12, 2007, 11:10:44 AM »
Quote from: microUgly
It seems that header information being sent early may be the overall cause of sessions not being set correctly. But I wouldn't know where to begin looking to find code that might be outputing information early. Are others seeing similiar error messages?

May be related to bug 1483926 http://trac.roundcube.net/trac.cgi/ticket/1483926 - I can't prove it (can't duplicate "Session Expired" on demand) but I have had neither the "Cannot modify header information" error nor the "Session Expired" message in the two weeks since applying the patch in that bug.

Offline Cutsie

  • Jr. Member
  • **
  • Posts: 21
Re: Session Expired
« Reply #28 on: April 12, 2007, 06:04:46 PM »
The only error messages I'm getting in my error log, if it helps anyone, are that it is saying it can't delete a message in Drafts (but I wasn't trying to delete one, so that's weird!). Nothing about headers, but I am getting logged out.


By the way, I have never been able to locate my cookie in my cookies folder when I'm logged in. I just tried it again and kept refreshing the cookies folder and there is no cookie showing for my RoundCube mail site.  ???

Offline atomic

  • Newbie
  • *
  • Posts: 2
Re: Session Expired
« Reply #29 on: January 03, 2008, 09:32:57 AM »
Session Expired BEFORE login.

  WARNING: PHP gives unexpected results when comparing two integers that differ by an amount greater than the largest positive integer, typically 231-1. A safer way to compare large integers is to cast them to floating-point numbers. The following example illustrates this point:

    $var1 = -2106036000; // 16/08/1902
    $var2 = 502808400;  // 24/08/1984

    // $result is assigned false
    $result = $var1 < $var2;

    // $result is assigned true as expected
    $result = (float) $var1 < (float) $var2;

  Even floating-point numbers can overflow. To manipulate numbers of arbitrary precision, the BCMath library should be considered.


/program/include/main.inc
line 236
if (!empty($CONFIG['session_lifetime']) && isset($SESS_CHANGED) && $SESS_CHANGED + $CONFIG['session_lifetime']*60 < time())

Change to

if (!empty($CONFIG['session_lifetime']) && isset($SESS_CHANGED) && (float)($SESS_CHANGED + $CONFIG['session_lifetime']*60) < (float)(time()))

Maybe such error in code in some other place?