Mattermost Peer-to-Peer Forum

[SOLVED] Mattermost iOS client login token expired


#1

I’ve seen it happening with myself and some of my users. We suddenly get a notification from iOS telling the login token has expired and we need to login again.

Opening mattermost client displays the login page.

This is a big burden since we stop getting messages until we relog.

Most users login once and they expect the app to just work. besides they always forget their passwords. : P

I’m not sure why this happens but I don’t think it should.

Is this a security feature? Is it possible to turn it off?

Cheers


#2

Thanks for reaching out! I’m happy to help but first I’ve got a couple questions:

  • Do you see this after a specific amount of time or does it seem random?
  • Are your users using the same version of iOS and the Mattermost app?
  • What are the session timeouts set to? You can find these under System Console > Security > Sessions

#3
  1. It’s dificult to say. My guess is it expires 30 from last time the user actually loged in (type user and password). It could be the case based on the console session settings.
  2. Yes they are.
  3. Session Lengths 30 days, Session Cache 10 minutes. default settings.

I dont think I fully understand the console sessions settings but from my point of view the users should never be prompted to relog. it is impractical. Only time it’s necessary is when the account password is modified.


#4

Hi @RbDev,

I have a few additional questions to help with troubleshooting this:

  1. What server version is everyone using?
  2. What Mattermost app version are they using?
  3. What iOS app version are they using
  4. Can you help share any logs from the time the issue takes place?

#5

Mattermost Server Version: Latest. 4.7.3
Mattermost iOS Version: Latest 1.6.1
iOS Version: Latest 11.2.6

The log looks like this

[2018/03/10 14:32:11 GMT] [INFO] /api/v4/users/me/teams/unread: code=401 rid=exfie7j94ibo9mf7wap8zqakhc uid= ip=192.168.1.94 Invalid or expired session, please login again. [details: UserRequired]
[2018/03/10 14:32:11 GMT] [INFO] /api/v4/users/me/teams/kuzmdm5orjf5mmet4kdcqckpge/channels/members: code=401 rid=dfy4eutyopy6pkb3npgemn9pbc uid= ip=192.168.1.94 Invalid or expired session, please login again. [details: UserRequired]
[2018/03/10 14:32:11 GMT] [INFO] /api/v4/users/me/teams/kuzmdm5orjf5mmet4kdcqckpge/channels: code=401 rid=sw6kyy368j8zuqupqpimjd8n8e uid= ip=192.168.1.94 Invalid or expired session, please login again. [details: UserRequired]
[2018/03/10 14:32:11 GMT] [INFO] /api/v4/users/status/ids: code=401 rid=rdzoy1kjrpf99p3np6gtp5d36h uid= ip=192.168.1.94 Invalid or expired session, please login again. [details: UserRequired]
[2018/03/10 14:32:11 GMT] [INFO] /api/v4/channels/members/me/view: code=401 rid=xy46hp5gh7ru7xwdkfzew8suso uid= ip=192.168.1.94 Invalid or expired session, please login again. [details: UserRequired]
[2018/03/10 14:32:11 GMT] [INFO] /api/v4/users/preferences: code=401 rid=no7r9yycjpgzurade6ens7mkgr uid= ip=192.168.1.94 Invalid or expired session, please login again. [details: UserRequired]
[2018/03/10 14:32:11 GMT] [INFO] /api/v4/channels/members/me/view: code=401 rid=3xj848nezjgdbfb4zs8cbypc8h uid= ip=192.168.1.94 Invalid or expired session, please login again. [details: UserRequired]

Cheers.


#6

Hi @RbDev,

That is indeed the intended behaviour as defined by those system console settings. By default, we want mobile sessions to expire in case the user loses their phone and someone else picks it up so that the amount of access that the other person has is limited.

You can increase the length of a mobile session if you’d like, and it’ll take effect after the next time that the users are made to log in again. I don’t think it’s possible to disable it entirely, but you could set it to a long time like a year.


#7

This is a very bad decision. Imagine if skype forced all the users to relog every month.
I suggest to implement a feature to disable session expiration and make it as default settings.


#8

I agree that it’s somewhat less convenient for end users when they get logged out monthly, but we chose to sacrifice some usability for a more security-concious solution here. As mentioned before though, you can set the session length to make it incredibly long so that session expiration virtually never happens.


#9

@hmhealey It doesn’t just make them re-login, it’ll often ask for the server URL and the username again. I understand re-entering a password, but zero of our regular users remember the URL. What’s worse is the app (on both iOS and Android) silently loses the connection: the login expires, people stop receiving notifications on their phones, and the app doesn’t notify the user to log in again. You can’t even plan to work around the issue as using the app is not enough to keep the session alive, it will always drop the login. Setting the the timeout to a year is only half the solution, people will still suddenly be logged out without being told, and will be even less likely to remember their passwords after so long.


#10

Hi @Roy-Orbison,

Does this ticket describe the issue you’re seeing: https://mattermost.atlassian.net/browse/MM-11319? Unfortunately we haven’t been able to reproduce it internally so far.

Also, from a security perspective, session expiry is to invalidate existing sessions that may have been compromised. These are absolute timeouts, not renewal timeouts. Increasing them is a balance between security and usability.


#11

My issue with this was that the user wasnt informed they were logged out.

So from their point of view they only stopped receiving notifications until they accessed the app again.

It caused confusion but in the end I set a crazy session timeout.

Not perfect, atill prefer a disable option, but functional.

Cheers


#12

Regarding the session expiry, we’ve been looking at improving that recently. We’re mostly talking about increasing the default session length (while adding some additional measures to mitigate against compromised sessions), but there has been some discussion about if and how we could safely eliminate the max length of mobile sessions entirely. Nothing to report on that front yet, but we’re aware that it’s not a great experience


#13

@amy.blais I think they’re just regular timeouts. The main issue is one doesn’t know when they’re no longer logged in. Can’t the app ping the server periodically to see if it’s been disconnected?


#14

To have the session expire feature, you really need the app to tell the user, probably by notification, that the app login expired, requesting the user to open the app and relog.


#15

@Roy-Orbison We fixed an issue in v1.13 on session expiry notifications not being sent on mobile devices: https://mattermost.atlassian.net/browse/MM-12236. We also added support in server v5.4 for notifying users when desktop/browser sessions expire. However, as hmhealey said above, we do have other tickets we’re working on to improve the session expiry behaviour.