Session expires on logon form

[izbushka]

I'm getting rcmail::ERROR_INVALID_REQUEST (localized) message on the login screen after entering correct user name and password for the first time after session expiration. Second attempt is fine.
POST request returns 401:

Request URL: https://***.ua/
Request Method: POST
Status Code: 401 
Remote Address: ***:443
Referrer Policy: strict-origin-when-cross-origin

Response Headers

cache-control: private, no-cache, no-store, must-revalidate, post-check=0, pre-check=0
content-language: en
content-type: text/html; charset=UTF-8
date: Wed, 01 Sep 2021 04:26:05 GMT
expires: Wed, 01 Sep 2021 04:26:05 GMT
last-modified: Wed, 01 Sep 2021 04:26:05 GMT
pragma: no-cache
server: nginx
set-cookie: roundcube_sessauth=-del-; expires=Wed, 01-Sep-2021 04:25:05 GMT; Max-Age=0; path=/; secure; HttpOnly
x-frame-options: sameorigin
x-powered-by: PHP/7.4.19

Request Headers

:authority: ***.ua
:method: POST
:path: /
:scheme: https
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
accept-encoding: gzip, deflate, br
accept-language: en,uk-UA;q=0.9,uk;q=0.8,ru;q=0.7,en-US;q=0.6
cache-control: no-cache
content-length: 180
content-type: application/x-www-form-urlencoded
cookie: language=en_GB; __utmc=43267453; __utmz=43267453.1620618382.4.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=prghc24s5rvs6188ovrtjl78nl; __utma=43267453.1670554277.1593676583.1625031208.1629032275.8; roundcube_sessid=***31dkaadrcnb0t
origin: https://***.ua
pragma: no-cache
referer: https://***.ua/?_task=login&_err=session
sec-ch-ua: " Not;A Brand";v="99", "Google Chrome";v="91", "Chromium";v="91"
sec-ch-ua-mobile: ?0
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: same-origin
sec-fetch-user: ?1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.164 Safari/537.36

Form Data

_token: ***RsgMan4kqWkyHLV3Thoj
_task: login
_action: login
_timezone: Europe/Kiev
_url: _task=login&_err=session
_user: ***@***.ua
_pass: ***
_ifpl: 1

RoundCube Version: latest (but it is happening for at least a year on a different versions)
PHP: 7.4.19
Web Server: nginx + php-fpm
OS: linux

[alecpl]

I'm not sure I understand the exact scenario. Session should not just expire. The logon form itself has it's own session, so if that expired then indeed you'll have to logon twice, but I'm not sure this is what you're talking about here. Are you talking about the case when session expires because user didn't have the internet connection for a while, or are you using some modifications that expire session depending on the session time?

[izbushka]

Yes, it is the case when user didn't have the internet connection for a while (operation system has been suspended)

[alecpl]

Then it might be two cases:

1. User is disconnected so long that the logon form session expired - known issue
2. User tries to logon immediately after he's presented with the logon screen - a new issue

I guess it's the former, but confirm, please.

[izbushka]

I can't say exactly what happens.
What it looks is I activate RoundCube tab in a browser and it is already at a login screen (I don't know for how long). Then first login attempt fails.

It could be the issue 1.
Is there any workarounds for now? (Autorefresh the login page by Page Visibility API when it expires for example)
Maybe you could point me to that issue on github?
Thanks

[alecpl]

As there's no other ticket for this issue, let's keep this open. No workarounds.

[milo]

We hit the same issue.

1. user logs off
2. redirected to a login form
3. there is a _token hidden POST field

Meanwhile, session GC run and deletes the user session from database.

4. user come back to PC
5. try to sign-in with correct username & password
6. it failed with message: Invalid request! No data was saved. because:

• session does not exist
• new $_SESSION['request_token'] is created
• it does not match with $_POST['_token']
• $request_valid is false https://github.com/roundcube/roundcubemail/blob/1.4.10/index.php#L105

Maybe set longer $config['session_lifetime'], which postpones session GC, as workaround.

[izbushka]

You'll hit the timeout eventually no matter how big it is.

The easiest workaround for me is to add reload script into the login page on browser tab activation:
skins/larry/templates/login.html

<script>
    function visibilityChangeHandler() {
        if (document.visibilityState === "visible") {
            window.location.reload();
        }
    }
    document.addEventListener("visibilitychange", visibilityChangeHandler, false);
</script>

It could be improved by delaying reload until session expired, but since it reloads almost instantly it is good enough for me.