"Already authenticated" error message

[Elbullazul]

Version

5.0.2

Details & Steps to reproduce

After logging in and waiting some time (ex. 1 hour), the login screen appears when accessing the page. However, after entering the credentials, the following message appears:

Expectation

If the service prompts me to login, it should be because I am already logged out. It seems that the session isn't properly closed after max. session length is reached. It worked fine in release 4.2.4

This does not happen when manually logging out.

Error & Logs

<reverse-proxy-ip> - - [29/Dec/2023:17:17:55 +0000] "POST /user/login HTTP/1.1" 400 68 "https://2fauth.domain.example/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0"
<reverse-proxy-ip> - - [29/Dec/2023:17:17:55 +0000] "GET /build/assets/Error-975ed5c3.js HTTP/1.1" 304 0 "https://2fauth.domain.example/build/assets/app-1b332c21.js" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0"

Execution environment

Date: Fri, 29 Dec 2023 20:28:29 +0000
userAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
Version: 5.0.2
Environment: local
Install path: /
Debug: false
Cache driver: file
Log channel: daily
Log level:
DB driver: sqlite
PHP version: 8.1.22
Operating system: Linux
interface: fpm-fcgi
Auth guard: web-guard
webauthn user verification: preferred
Trusted proxies: *

Containerization

• [X] Docker

Additional information

No response

[taryujiai]

I get this error as well.

[Bubka]

Hi, Does it occur regardless of the Auto lock setting value? Can you please reproduce with dev tools (F12) opened on the network tab. Do you see a request to /user/logout?

[Elbullazul]

There is no call to /user/logout:

I had auto lock set to 15 minutes, I tried changing it to one minute and still get the error.

[ryosoftware]

+1 same issue here

[NOnooSS]

Same issue forme too since the last update (v5.0.2) Autolock after 30 mins

[Bubka]

@kslcsdalsadg @NOnooSS Do you see a call to user/logout in dev tools unlike Elbullazul? (You can test with autolock set to 1min to speed up, the behavior should be the same)

[ryosoftware]

Nope, logout isn't called. This is the list of calls when I enter to my 2fa site

[dansharpy]

I was having this same issue, seem to have just solved it by doing a complete erase of all browser cache data. Worth a go if you're facing this.

[heliohenriques]

Same issue when using OpenID account. That's annoying because I've installed on mobile phone (Add to Home Screen), as it get stuck.

[onlineapps-cloud]

same issue

[Bubka]

Does the Back to home link in the footer brings you to the 2fa list or does it loop on the error msg?

[Elbullazul]

It took me to the 2fa list correctly.

But I cannot reproduce this bug anymore with 5.0.3.

Edit: I was using the "never" auto-lock option (to avoid encountering this bug), and changed it back to 15 minutes to confirm the behaviour. For some time after changing the setting, the bug was not occurring. It started happening again after some time, not sure if this helps.

[ryosoftware]

Does the Back to home link in the footer brings you to the 2fa list or does it loop on the error msg?

In my case te back to home link opens the main page.

[heliohenriques]

Using OpenID, I need to choose the option "Sign In" and after "Back Home".

[CaptainKey3s]

I've got the same issue. Back to home opens the main page.

[Bubka]

Ok I think I get it! I've found an error in the way inactivity is handled by the backend. I will release a new version shortly, the time for me to validate my fix in all possible situations.

[Anilo1990]

I'm using v5.0.4 and I have this issue as well. Is there already a fix for this?

[Bubka]

The fix is not available yet, sorry, I still have few things to do before releasing it.

[Anilo1990]

@Bubka ok, there's no hurry. Thank you for taking care of a bugfix. I came across this thread while researching and didn't know if it had been already fixed or not. Hope to see the new version soon :-)