search

znuny / Znuny

Znuny/Znuny LTS is a fork of the ((OTRS)) Community Edition, one of the most flexible web-based ticketing systems used for Customer Service, Help Desk, IT Service Management.
https://www.znuny.org
GNU General Public License v3.0
332 stars 82 forks source link

Bug - Invalid session #566

Closed stek6 closed 1 month ago

stek6 commented 1 month ago

Environment

Expected behavior

When the user (agent or Admin) uses the Settings menu (e.g. in Queue View or Status View) he can select, for example, the number of visible rows and/or add/remove visible columns. The Save button makes the changes effective and the form updates by modifying visible columns and/or number of rows shown

Actual behavior

When the user (agent or Admin) uses the Settings menu (e.g. in Queue View or Status View) he can select, for example, the number of visible rows and/or add/remove visible columns. When confirmation is given via the Save button, the user is logged out of OTRS and returns to login. In the Dashboard, however, the Settings button present for the various widgets is blocked and does not open any settings window

How to reproduce

Steps to reproduce the behavior:

  1. Access the agent interface
  2. Click on Tickets -> Status view
  3. Whatever the display mode (S, M, L) the gear icon (Settings) is visible at the top right
  4. Open the Settings menu and change whether or not tickets per page or visible columns are visible
  5. Click Save
  6. The next reload takes you back to login and the user is logged out (Invalid session. Log in again.)

Additional information

For the moment we have detected the anomaly in:

The same button is also present in the Dashboard but blocked: no menu for editing widgets is opened

We also made a backend change for sessions from DB to FS but it didn't solve the problem.

Errors detected in OTRS logs (debug mode); no errors in the apache logs

[Wed May 29 08:55:57 2024][Notice][Kernel::System::AuthSession::DB::RemoveSessionID] Removed SessionID n4v6aDlnAGsfUzwm6dsuBpreKTVFbM1a. [Wed May 29 08:55:57 2024][Notice][Kernel::System::AuthSession::DB::CheckSessionID] SessionID: 'n4v6aDlnAGsfUzwm6dsuBpreKTVFbM1a' is invalid!!!

[Wed May 29 13:01:19 2024][Notice][Kernel::System::AuthSession::FS::RemoveSessionID] Removed SessionID 80DgoVc7GiSuu4kcfw8FBZuanuZCQTSVtW. [Wed May 29 13:01:20 2024][Notice][Kernel::System::AuthSession::FS::CheckSessionID] SessionID: '80DgoVc7GiSuu4kcfw8FBZuanuZCQTSVtW' is invalid!!!

Screenshots

image image009 image001 image

hanneshal commented 1 month ago

Hi @stek6 you have an invalid system config. The system is not able to set a secure cookie and you are in (deprecated) fallback mode using the url session. This is no bug, this is more a config issue.

Please check the FQDN and the HTTPType . Those need to match the apache config / the url you are using. Also check the ScriptAlias

All those settings need to match the reality otherwise it is not possible to set a secure cookie and you get the described behaviour.

Regards Johannes

stek6 commented 1 month ago

Hi Johannes, httptype and fqdn match apache configuration, otherwise the problem would occur constantly and periodically throughout the application. Furthermore, in fallback mode the token should be visible directly in the URL? This is not my case. Simply and only in the sections indicated, only in version 6.5.8, when the settings are saved, the system logs the user out The anomaly occurs only with version 6.5.8 but not with 6.5.7 using the same configuration on the Apache side and the same configurations on otrs (httptype and fqdn). How is it possible?

Thanks in advance Stek

hanneshal commented 1 month ago

Hi @stek6 no offense, but I doubt that.

This behaviour matches exactly the known problem when the config does not match the realtiy. The session is added to the URL and not stored in the cookie. This is the very very old behaviour and just a (deprecated) fallback.

http vs https (HttpType)and FQDN and ScriptAlias are the most common errors.

Sometime users drop the "/znuny" or on older installations the "/otrs" in the url and the problem is the same. Sometimes people terminate SSL on the wrong host and so on...

Please check and if possible provide the urls / values when the problem occurs.

Regards

hanneshal commented 1 month ago

Ok, I need to apologize. This seems to be an already fixed (internal) issue, which I did not know about.

There is a fix for the upcoming 6.5.9

Thanks to @rkaldung for pointing this out

stek6 commented 1 month ago

Hi Johannes, however, I am attaching a small video to confirm the reported bug and the evidence of the URLs. Thank you and @rkaldung for confirming the resolution planned for the next release (6.5.9) and the work you do to keep the project alive and updated.

Good work, Stek

https://github.com/znuny/Znuny/assets/36170678/c4e7f106-3c0a-48ce-9056-5986d63a38a8

rkaldung commented 1 month ago

Duplicate of https://github.com/znuny/Znuny/issues/559