Author Topic: Your session is invalid or expired (Read 17698 times)

angusm · « **on:** October 03, 2010, 09:28:18 AM »

I've just installed Roundcube 0.4.1 under Apache/2.2.11, PHP 5.3.1, MySQL 5.1.30 on a Centos box.

I'm getting a very high number of apparently spurious "your session is invalid or expired" messages. My first attempt to login, using Google Chrome on MacOS X, succeeded and then I received an immediate "invalid or expired" message. I was unable to login at all with Chrome, so I switched to Safari, which logged in successfully. I then tried again using Chrome, and was able to log in.

After about forty-five minutes (during which the session was never idle), however, Safari began to show "invalid or expired" messages, and I could not log in again. Clearing session records in the database and cookies in the browser did not seem to resolve the problem.

This pattern has continued. Sometimes I can log in successfully and use RoundCube until it kicks me out, sometimes I just get a string of "invalid or expired" messages as soon as I log in. After I get kicked out, I usually have to wait several minutes to several hours before I am able to log in successfully again. In general, Safari has a higher success rate than Chrome, but Chrome sometimes works.

(Incidentally, I've noticed in other contexts that Chrome can be a bit 'quick on the trigger': if I'm editing a web form, Chrome may occasionally send two POST requests: if it's doing anything similar here, it might be triggering a race condition in Roundcube's session checking).

Apache request logs don't show anything obviously revealing.

I tried setting

$rcmail_config['session_lifetime'] = '';

as recommended in one thread related to an earlier version of RoundCube, but this doesn't seem to help.

I see that this problem has been discussed before in:

http://www.roundcubeforum.net/6-svn-releases/20-issues-bugs/472-your-session-invalid-expired.html

but there the issue is marked as resolved. Unfortunately, the link to the solution given by the poster is now broken, so it's unclear what the resolution was.

Any suggestions or advice would be gratefully received.

SKaero · « **Reply #1 on:** October 03, 2010, 12:58:02 PM »

Is there anything in your RoundCube error log?

Javin007 · « **Reply #2 on:** October 04, 2010, 11:31:09 AM »

I have this exact same scenario, however it's not limited to Chrome, and it's not limited to one PC. It's happening using Firefox, Internet Explorer, and Chrome on my work PC and my home PC. There are times that I'm completely unable to access my mail all together due to the error messages. Rarely, the message will change from an "Invalid or Expired" message to a "Connection to IMAP Server Failed" message.

This started when I had 0.3.1 and seems to be considerably worse since the upgrade to 0.4.1.

I too have seen a number of posts where it was flagged as "resolved" but this definitely doesn't seem to be the case. I will have to install a different mail system until this is fixed, as I currently cannot get into the system at all.

The ONLY thing in the error log is from back in January. Strangely enough, this COULD have been around the time the problems started, or it could just be coincidence, so I'm including it here just in case:

[24-Jan-2010 13:37:55] PHP Warning: PHP Startup: Unable to load dynamic library '/usr/local/lib/php/extensions/no-debug-non-zts-20060613/pdo_mysql.so' - libmysqlclient.so.15: cannot open shared object file: No such file or directory in Unknown on line 0

alec · « **Reply #3 on:** October 04, 2010, 12:07:27 PM »

If you say it's worst with 0.4.1, I say this must by related with some IMAP server limit for number of simultaneous connections.

Javin007 · « **Reply #4 on:** October 04, 2010, 02:00:05 PM »

Interestingly, I was mucking about with my server settings, and while my RoundCube e-mail was set as a sub-domain, I got these errors. By adding a forwarder (which I didn't want to do as it doesn't obfuscate the path) the problem seems to have disappeared. Oddly, though, one of my users says she can no longer see her E-Mails listed (though I can't exactly take her word for it. She has a tendency to panic when her ancient computer runs slowly).

Is there a possibility that roundcube is having trouble being a subdomain that it doesn't have when forwarded? I noticed a similar error when using AtMail, so I suspect this is the cause. Other systems such as AgentLogic don't have this issue, though.

Javin007 · « **Reply #5 on:** October 07, 2010, 11:05:21 AM »

Nope, the "solution" was unrelated. Apparently RoundCube was just having one of its "Good Days."

The problem is still around in full force. I've also noticed a significant number of posts online with other people mentioning this issue.

lelandv · « **Reply #6 on:** November 24, 2010, 08:22:06 AM »

We have exactly the same issue with rc0.4.2.

Random session invalid or expired messages for users while they are logged in. In pretty much all cases, this is happening at the time of any IMAP activity.

the roundcube/logs/error logfile shows an IMAP authentication failure at the precise moment that the user is disconnected.

example:

Code: [Select]

[24-Nov-2010 12:34:36 +0100]: IMAP Error: Authentication for username failed (LOGIN):  in 
                /usr/share/roundcube/program/include/rcube_imap.php on line 143 (GET 
                /roundcube/?_task=mail&_action=preview&_uid=5&_mbox=INBOX&_framed=1)

The problem is that it is happening at random, sometimes a user can go for 20 minutes with no problem, other times they get this after only a couple of clicks after successfully logging in, but in every case the above error is generated in the log. There are no corresponding authentication failures in the IMAP server logs at all, every connection is successfully authenticated.

I tried to debug a little further and exposed the IMAP connection error code contained in the generic imap connection object via line 144 of program/include/rcube_imap.php to be able to see the exact error number code returned. The modification made is:

Code: [Select]

    'messge' => $this->conn->error . " " . $this->conn->errornum), true, false);

Using this additional information, every time the user is randomly disconnected, the errornum of the generic imap connection object is always -1, which from rcube_imap_generic.php reveals to be either empty username or empty password. (I suspect more likely empty username as there are no specific failures for the username in the IMAP server logs)

It seems to me that there is something somewhere that is causing RC to use a null username when making a new IMAP server, which returns -1, causing rcube to invalidate/expire the session.

We are unable to track down exactly WHY this is occurring.

If anyone has any bright ideas, I'm all ears

Thanks in advance!

Leland

---- Updated ----

More strange but useful information. Doing database debugging at the time of these session expiries reveals the following additional information:

Just before the invalid/expired session, there are a series of SQL queries for the session ID which oddly appear in this order.

Firstly, it deletes the session:

Code: [Select]

-Nov-2010 17:16:03 +0100]: query(1): DELETE FROM session WHERE sess_id = 'a87a9e46155c5aed473161819de4d0cf';

Then it updates for the same session ID:

Code: [Select]

24-Nov-2010 17:16:03 +0100]: query(1): UPDATE session SET vars = 'language|s:5:\"fr_FR\";auth_time|i:1290615363;imap_root|s:0:\"\";imap_delimiter|s:1:\".\";user_id|s:4:\"4816\";
(----REST OF VARS CLIPPED FOR BREVITY----)
, changed = FROM_UNIXTIME(1290615363) WHERE sess_id = 'a87a9e46155c5aed473161819de4d0cf';

It then tries to retrieve the vars from the session id (which it had already deleted previously):

Code: [Select]

24-Nov-2010 17:16:05 +0100]: query(1): SELECT vars, ip, UNIX_TIMESTAMP(changed) AS changed FROM session WHERE sess_id = 'a87a9e46155c5aed473161819de4d0cf';
[24-Nov-2010 17:16:05 +0100]: query(1): SELECT vars, ip, UNIX_TIMESTAMP(changed) AS changed FROM session WHERE sess_id = 'a87a9e46155c5aed473161819de4d0cf';

And then finally it attempts to INSERT with the same session ID:

Code: [Select]

[24-Nov-2010 17:16:05 +0100]: query(1): INSERT INTO session (sess_id, vars, ip, created, changed) VALUES ('a87a9e46155c5aed473161819de4d0cf', 'auth_time|i: ---(SNIPPED FOR BREVITY)--- FROM_UNIXTIME(1290615365), FROM_UNIXTIME(1290615365));

Something seems a little bit out of sequence here, no?

This further supports my original theory in that the authentication failure in the roundcube error log is related to an empty userid or password, as it apparently is looking to obtain this information with the SELECT, which of course returns NULL as the record was previously deleted. The question is.. why/what triggered the DELETE before the UPDATE.

L.

rmoore · « **Reply #7 on:** January 03, 2011, 02:48:14 PM »

We had the same issue after coming back from holiday - not sure if it had to do with the year rolling over or not, but it was definitely busted for everyone.

We turned on debugging and saw logins were authenticating, and in the imap log, it is immediately logging the user out - not sure if it is related or not, but it prompted me to try upping the session lifetime -

in main.inc.php :

Code: [Select]

// Session lifetime in minutes
// must be greater than 'keep_alive'/60
$rcmail_config['session_lifetime'] = 10000;

(it was "10")

And immediately it started working for everyone.
Hope this helps.