Session should not be destoryed with window close #7251
Comments
|
What's your point exactly? |
|
Anybody that has a session span of more than a few hours would prefer to not be auto logged out, simply from restarting phones, etc.! Lots of Email software are excellent about keeping users logged in. :--) |
|
My 1.2.7 install with the (melanie2_larry_mobile) skin is great at keeping me logged in with all the mobile browsers that I've tested! As long as the (melanie2_larry_mobile) skin keeps running, I plan to keep using that on the side, until more of the kinks are removed from the 1.4 versions, and the Elastic skin. Is the auto logging out when closing mobile browsers, a 1.4.* issue, or is it a Elastic skin issue? :--) |
|
I just noticed that closing the browser window ends a session, or it looks like that, because when you open it again you'll be "forced" to log in again. I don't think this is intentional. I agree that it used to work differently before. This need to be investigated. |
alecpl
changed the title
|
I did some investigation. I thought it might be related to 403d845, but if I comment out the added line the behavior is the same. So, maybe something has changed in PHP or browsers recently. I cannot find another change that would be related. Here's what I had to do to make it working as expected: --- a/program/lib/Roundcube/rcube.php
+++ b/program/lib/Roundcube/rcube.php
@@ -463,8 +463,7 @@ class rcube
ini_set('session.gc_maxlifetime', $lifetime * 2);
}
- // set session cookie lifetime so it never expires (#5961)
- ini_set('session.cookie_lifetime', 0);
+ ini_set('session.cookie_lifetime', $lifetime);
ini_set('session.cookie_secure', $is_secure);
ini_set('session.name', $sess_name ?: 'roundcube_sessid');
ini_set('session.use_cookies', 1);
diff --git a/program/lib/Roundcube/rcube_session.php b/program/lib/Roundcube/rcube_session.php
index 59522a9d7..e00a36c25 100644
--- a/program/lib/Roundcube/rcube_session.php
+++ b/program/lib/Roundcube/rcube_session.php
@@ -694,7 +694,7 @@ abstract class rcube_session
public function set_auth_cookie()
{
$this->cookie = $this->_mkcookie($this->now);
- rcube_utils::setcookie($this->cookiename, $this->cookie, 0);
+ rcube_utils::setcookie($this->cookiename, $this->cookie, time() + $this->lifetime);
$_COOKIE[$this->cookiename] = $this->cookie;
}
but I feel I might be missing something. @thomascube I need a second pair of eyes to look at this. |
|
Great progress! :--) |
|
Roundcube's session time is by default kept short in order to prevent session hijacking. While desktop browsers keep on sending keep-alive requests to keep the session alive on the server, this might not be the case for mobile browsers when the app is in the background. |
|
To make a long story short: I think the diff you pasted makes sense. If we compute a session lifetime on the server, we might as well send that as an expiration date with the cookie string. |
|
Patch applied. Fixed. |
|
I had to revert the commit, because it does not work. The session is not kept alive. It requires some more work. |
|
Interesting, I used a local patch for the last two years which is very similar to yours @alecpl and it works. I will open a pull request. PS: It was on my todo list to contribute that patch for two years as well. ;-) Today I finally looked into it and discovered that you have been working on it. |
|
Okay, a pull request will take a little bit longer. I think we have some historically grown confusion here. We have two different cookies.
In addition, we have the config variable roundcubemail/program/lib/Roundcube/rcube_session.php Lines 133 to 134 in 3e9aefc roundcubemail/program/lib/Roundcube/rcube_session.php Lines 593 to 600 in 3e9aefc roundcubemail/program/lib/Roundcube/rcube_session.php Lines 668 to 681 in 3e9aefc Another line of security the setting how long PHP keeps sessions for. We tell PHP to remove all sessions older than twice the session lifetime. But there may be cases when PHP doesn't accept a configuration here. Or, for whatever reason, the garbage collector isn't run and sessions aren't cleared up. Proposed changes
@alecpl I don't know why your patch didn't work. Can you tell what went wrong? What did you observe? If you agree, I will create a pull request with the above changes. |
|
If we set expiration time on the cookie we have to refresh the cookie (push the expiration time) on keep-alive request. It looked to me that it didn't happen. I didn't have time to investigate yet. |
|
Roundcube doesn't send a new cookie on every request. If the current timeslot matches then it leaves the cookie as is because it wouldn't change. A timeslot is half the session lifetime long. So by default, a timeslot is five minutes and you need to wait five minutes to get a new cookie. |
|
I found two more issues:
|
|
The more I think about it, I'm wondering if we need two configuration variables. It would be nice to keep the current behaviour for backwards compatibility. But it would also be nice to allow for browser restarts and have an actual expiry for cookies. Current logic
Expiry of the session cookieSome people leave their browser open for months. It would be nice to force a log in after a while. Setting PHP's Expiry of inactive sessionsThe current authentication logic kicks people out when they have been inactive for longer than |
|
I tested Roundcube 1.3 and 1.2 and the behavior is the same. So, I was wrong that it is a regression. Not a bug, but feature request. |
|
When I used RoundCubePlus.com Skins, and when using the (melanie2_larry_mobile), I don't recall being logged out if I closed a window, Etc. I still use (melanie2_larry_mobile) with one of my sites, and I'm almost always logged in. :--) |
|
Is this Resolved yet? I see that 1.4.5 Just was released. :-) |
|
No, this was not resolved. It's relatively easy to give session cookies an expiry date. In that case they persist browser restarts but then they can disappear at an inconvenient time in the middle of a session when the expiry date is reached. To solve this properly, we need to rewrite the way session cookies are set and renew them regularly like the auth cookie. As a workaround, you can set a cookie expiration date in a hundred years. But that would open up an attack vector where someone gains access to an old hard drive or a backup, extracts the cookies and uses them for to take over the session. It's very unlikely but we should make email as secure as possible. |
|
One of the phone browsers that I use is keeping me logged in, even when I change internet connections, and turn my phone off, and back on. So, I should be okay with waiting. 😎 |
|
@HighlyFavoredBA: Like @exi, I would like news about this PR, thanks in advance. |
|
A year later and I'm still manually patching this into my docker containers to not be auto-logged out all the time :/ |
|
FYI, as I mentioned in #9325, we had a cyber insurance policy quote denied, in part because their vulnerability scan flagged the non-expiring cookie as a risk. They also feature "Business Email Compromise (BEC)" as a large risk for Funds Transfer Fraud (FTF) on the front page of their advertising. Their TOP recommendation to reduce cost and risk is MFA. So I guess I would want to understand, is how does cookie based (possibly infinite) session relate to MFA -or- password based email security? |
|
@edgecase14 Making it configurable and setting the default to a limited lifetime but keeping infinite lifetime an option would make everyone happy. |
With Version 1.4.0, and Elastic, I noticed that Firefox, and most phone browsers log me out of Email when I close, and re open the browsers, if I restart my phone, etc., and that was also happening on my last phone that I recently had.
In a dated R C version install that I have, the (melanie2_larry_mobile) skin has been great about keeping me logged in! :--)
I prefer 7200 minutes of no activity.
// Session lifetime in minutes
$config['session_lifetime'] = 7200;
The text was updated successfully, but these errors were encountered: