Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Session invalid or expired #6617

Closed
tlacaelelrl opened this issue Feb 7, 2019 · 4 comments
Closed

Session invalid or expired #6617

tlacaelelrl opened this issue Feb 7, 2019 · 4 comments
Labels
need feedback

Comments

@tlacaelelrl
Copy link

tlacaelelrl commented Feb 7, 2019
edited

I started receiving this error

"Session invalid or expired"

My setup is
Ubuntu 18.03
Roundcube Webmail 1.3.8
PHP: 7.2.10-0

I have a server that hosts two domains

mail.domain.com has no issues
mail.domain2.it has the issue

That means I can login to any email account whether form domain.com or domain2.it if I use mail.domain.com to login, when I do it from mail.domain2.it I am logged in, and a second later the error displays and get logged out and sent back to the login form.

I tried:
username_domain, session_domain, session_name, session_auth_name
Each to have a different value depending on the domain that was used to open the webmail.

$config['username_domain'] = $_SERVER['HTTP_HOST'];
$config['session_domain'] = $_SERVER['HTTP_HOST'];
$config['session_name'] = str_replace('.', '_', $_SERVER['HTTP_HOST']) . '_sessid';
$config['session_auth_name'] = str_replace('.', '_', $_SERVER['HTTP_HOST']). '_sessauth';

That did not help, I thought it was the session or the cookies, so I also emptied the sessions table.

I tried using the default template.

Disabled all plugins

The only thing that made it work was this

file: rcube_utils.php
line: 624
method: remote_addr

    public static function remote_addr()
    {
        // Check if any of the headers are set first to improve performance
        if (!empty($_SERVER['HTTP_X_FORWARDED_FOR']) || !empty($_SERVER['HTTP_X_REAL_IP'])) {
            $proxy_whitelist = rcube::get_instance()->config->get('proxy_whitelist', array());
            if (in_array($_SERVER['REMOTE_ADDR'], $proxy_whitelist)) {
                if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
                    foreach (array_reverse(explode(',', $_SERVER['HTTP_X_FORWARDED_FOR'])) as $forwarded_ip) {
                        if (!in_array($forwarded_ip, $proxy_whitelist)) {
                            return $forwarded_ip;
                        }
                    }
                }

                if (!empty($_SERVER['HTTP_X_REAL_IP'])) {
                    return $_SERVER['HTTP_X_REAL_IP'];
                }
            }
        }

        if (!empty($_SERVER['REMOTE_ADDR'])) {
            return $_SERVER['REMOTE_ADDR'];
        }

        return '';
    }

When I comment out

        /*if (!empty($_SERVER['REMOTE_ADDR'])) {
            return $_SERVER['REMOTE_ADDR'];
        }*/

All starts working.
@alecpl
Copy link
Member

alecpl commented Feb 8, 2019

Looks like your http setup removes/changes remote IP address somehow. You may consider disabling ip_check in Roundcube config.

@omatosan
Copy link

omatosan commented Feb 8, 2019 via email

@tlacaelelrl
Copy link
Author

tlacaelelrl commented Feb 8, 2019
edited

Looks like your http setup removes/changes remote IP address somehow. You may consider disabling ip_check in Roundcube config.

I just figured out the issue.

All domains are hosted at cloudflare.
Main domain does not use cloudflare's proxy
All other domains do

So all domains are using cloudflare's IP except for the main domain, that is why it was working on the main domain but not the other one.

Thank you for your help.

A way to fix it with nginx (appies to cloudflare only) https://support.cloudflare.com/hc/en-us/articles/200170706-How-do-I-restore-original-visitor-IP-with-Nginx-

If not, for roundcube only, setting the proxy_whitelist variable, using the list of IP segments from this url https://www.cloudflare.com/ips/

@fleebs
Copy link

fleebs commented Apr 15, 2021

I have a rough patch in, that I think fixes this issue.

    public static function remote_addr()
    {
        // Check if any of the headers are set first to improve performance
        if (!empty($_SERVER['HTTP_X_FORWARDED_FOR']) || !empty($_SERVER['HTTP_X_REAL_IP'])) {
            $proxy_whitelist = rcube::get_instance()->config->get('proxy_whitelist', array());
            if (in_array($_SERVER['REMOTE_ADDR'], $proxy_whitelist)) {
                if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
                    foreach (array_reverse(explode(',', $_SERVER['HTTP_X_FORWARDED_FOR'])) as $forwarded_ip) {
                        $forwarded_ip = trim($forwarded_ip);
                        if (!in_array($forwarded_ip, $proxy_whitelist)) {
                            return $forwarded_ip;
                        }
                    }
                }

                if (!empty($_SERVER['HTTP_X_REAL_IP'])) {
                    return $_SERVER['HTTP_X_REAL_IP'];
                }
            }
        }

        // add this part for cloudflare
        if (!empty($_SERVER['HTTP_CF_CONNECTING_IP'])) {
            return $_SERVER['HTTP_CF_CONNECTING_IP'];
        }

        if (!empty($_SERVER['REMOTE_ADDR'])) {
            return $_SERVER['REMOTE_ADDR'];
        }

        return '';
    }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
need feedback
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@alecpl @tlacaelelrl @omatosan @fleebs