Users other than admin cannot access fresh install - page has expired due to inactivity

freescout-helpdesk / freescout

FreeScout — Free self-hosted help desk & shared mailbox (Zendesk / Help Scout alternative)

https://freescout.net

GNU Affero General Public License v3.0

2.67k stars 458 forks source link

Users other than admin cannot access fresh install - page has expired due to inactivity #4010

Closed aaversa closed 1 week ago

aaversa commented 2 weeks ago

I just re-installed Freescout on my server (PHP 7.4) and invited several users. One of the users, who has never visited the site before, attempted to access the link he received, which was in the format:

https://mysite.com/user-setup/longStringOfCharactersHere

As soon as he clicks on the link, he receives the following error:

"The page has expired due to inactivity. Please refresh and try again."

He has tried refreshing, no good.

Every other user I've invited reports the same thing, across multiple browsers, OS and computers.

Why would this be happening?

EDIT: If users instead visit https://mysite.com/ and trigger a password reset, they CAN log in this way. But this is still bizarre.

freescout-helpdesk commented 2 weeks ago

Check caching on your web server, proxies, CloudFlare, etc.

aaversa commented 2 weeks ago

It was not a caching issue - the problem was this line in session.php:

'secure' => env('SESSION_SECURE_COOKIE', false),

As written, login pages could not be accessed via https, users had to use http (not intuitive). Once we knew this we were able to have people switch to http and things worked fine.

Can you add this to the documentation?

freescout-helpdesk commented 2 weeks ago

How to reproduce the issue?

1) Set APP_URL to use HTTPS: https://mysite.com in the .env file and clear cache. 2) Set SESSION_SECURE_COOKIE=true in the .env file and clear cache. 3) ...

aaversa commented 2 weeks ago

The repro was a completely clean install, no changes to session.php.

Set app url - https://mysite.com

Create new user. User opens invite email. They immediately see the activity timeout error.

User manually goes to http://mysite.com/login - can use reset password from here.

freescout-helpdesk commented 1 week ago

We can't reproduce the issue. The problem may be in your web server or HTTPS configuration.

aaversa commented 1 week ago

Can you help diagnose it more? This is just a regular server and we don't have any kind of unusual configuration. After attempting an update this is now happening to me constantly.

freescout-helpdesk commented 1 week ago

The only way to figure it out is to investigate on your server. You can email us at support@freescout.net or try https://github.com/freescout-helpdesk/freescout/wiki/Hire-Developer