passbolt / passbolt-windows

Windows desktop application for Passbolt, the open source password manager for teams!
https://passbolt.com
48 stars 5 forks source link

Session Timeout on Windows Desktop App #8

Open thomasSSSC opened 3 months ago

thomasSSSC commented 3 months ago

Hi, my team self hosted passbolt. I'm having issues with session timeout, but only on the Windows App, the web app works fine. I was told by my company that they set the logout to 8 hours, but my desktop app will log me out after 5 or sometimes 1 hour. This doesn't seem to be a problem for anyone else.

This is the configuration of my company's passbolt: System info: – Server operating system name and version => Running in AWS EKS cluster on Debian GNU/Linux 12 (bookworm) – Web server name and version => nginx/1.22.1 – Database server name and version => PostgreSQL 16.0 on x86_64-pc-linux-gnu – Php version => PHP 8.2.18 – Passbolt version => 4.8.0

Healthcheck:

Healthcheck shell Environment

[PASS] PHP version 8.2.18. [PASS] PHP version is 8.1 or above. [PASS] PCRE compiled with unicode support. [PASS] Mbstring extension is installed. [PASS] Intl extension is installed. [PASS] GD or Imagick extension is installed. [PASS] The temporary directory and its content are writable and not executable. [PASS] The logs directory and its content are writable.

Config files

[PASS] The application config file is present [WARN] The passbolt config file is missing in /etc/passbolt/ [HELP] Copy /etc/passbolt/passbolt.default.php to /etc/passbolt/passbolt.php [HELP] The passbolt config file is not required if passbolt is configured with environment variables

Core config

[PASS] Cache is working. [PASS] Debug mode is off. [PASS] Unique value set for security.salt [PASS] Full base url is set to https://***** [PASS] App.fullBaseUrl validation OK. [PASS] /healthcheck/status is reachable.

SSL Certificate

[PASS] SSL peer certificate validates. [PASS] Hostname is matching in SSL certificate. [PASS] Not using a self-signed certificate.

SMTP settings

[PASS] The SMTP Settings plugin is enabled. [PASS] SMTP Settings coherent. You may send a test email to validate them. [WARN] The SMTP Settings source is: env variables. [HELP] It is recommended to set the SMTP Settings in the database through the administration section. [WARN] The SMTP Settings plugin endpoints are enabled. [HELP] It is recommended to disable the plugin endpoints. [HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true. [HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.

JWT Authentication

[PASS] The JWT Authentication plugin is enabled. [PASS] The /etc/passbolt/jwt/ directory is not writable. [PASS] A valid JWT key pair was found.

GPG Configuration

[PASS] PHP GPG Module is installed and loaded. [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg. [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user. [PASS] The server OpenPGP key is not the default one. [PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable. [PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable. [PASS] The server key fingerprint matches the one defined in /etc/passbolt/passbolt.php. [PASS] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is in the keyring. [PASS] There is a valid email id defined for the server key. [PASS] The public key can be used to encrypt a message. [PASS] The private key can be used to sign a message. [PASS] The public and private keys can be used to encrypt and sign a message. [PASS] The private key can be used to decrypt a message. [PASS] The private key can be used to decrypt and verify a message. [PASS] The public key can be used to verify a signature. [PASS] The server public key format is Gopengpg compatible. [PASS] The server private key format is Gopengpg compatible.

Application configuration

[PASS] Using latest passbolt version (4.8.0). [PASS] Passbolt is configured to force SSL use. [PASS] App.fullBaseUrl is set to HTTPS. [PASS] Selenium API endpoints are disabled. [PASS] Search engine robots are told not to index content. [INFO] The Self Registration plugin is enabled. [INFO] Registration is closed, only administrators can add users. [PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php. [WARN] Host availability checking is disabled. [HELP] Make sure this instance is not publicly available on the internet. [HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true. [HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php. [PASS] Serving the compiled version of the javascript app. [WARN] Some email notifications are disabled by the administrator. [PASS] The database schema up to date.

Database

[PASS] The application is able to connect to the database [PASS] 31 tables found. [PASS] Some default content is present.

[PASS] No error found. Nice one sparky!

krzys128 commented 2 months ago

You are not alone ;). I've experienced the same problem. I supposed connection would be cut by some firewalls/other network timeouts. So I asked our network team to diagnose network traffic between windows app and Passbolt server. As the result they pointed that Windows application after 10-15 minutes of inactivity sends FIN packet to the Passbolt server and close TCP connection :( I have already asked about it in Passbolt forum but .. not asnwer until now .

scadra commented 2 months ago

Hey @thomasSSSC,

Is the problem still present ?

@krzys128,

Sorry for the delay, we will need more informations about your use case. Looks the alarm use to check the session is not running on your case. I propose to jump to your topic.

scadra commented 2 months ago

A ticket PB-35224 has been created to track this topic

thomasSSSC commented 2 weeks ago

Yes this issue still persists @scadra. Passbolt logs me out as soon as I close the app or even when I wait an hour.

krzys128 commented 2 weeks ago

@thomasSSSC - join our discussion on passbolt community and share your case .

scadra commented 2 weeks ago

@thomasSSSC

It is expected when the app is closed to be logout. Regarding the issue we have tried to reproduce the issue without success and we need more clarification :

The objective is to find a solution to unblock you and to reproduce this issue. A debug version should comes to the next release which should allows us to track the timeout.

Just for some clarification, for the moment the windows app is not build to support low privilege configuration (RDS,...)

scadra commented 1 week ago

@thomasSSSC

A new debug tools has been released to support this kind of use case : See the release download.

Is it possible for you to download it and check on the background devtools the different calls before signout automaticly ?

Thanks in advance