[SOLVED] Mattermost iOS client login token expired


#1

I’ve seen it happening with myself and some of my users. We suddenly get a notification from iOS telling the login token has expired and we need to login again.

Opening mattermost client displays the login page.

This is a big burden since we stop getting messages until we relog.

Most users login once and they expect the app to just work. besides they always forget their passwords. : P

I’m not sure why this happens but I don’t think it should.

Is this a security feature? Is it possible to turn it off?

Cheers


#2

Thanks for reaching out! I’m happy to help but first I’ve got a couple questions:

  • Do you see this after a specific amount of time or does it seem random?
  • Are your users using the same version of iOS and the Mattermost app?
  • What are the session timeouts set to? You can find these under System Console > Security > Sessions

#3
  1. It’s dificult to say. My guess is it expires 30 from last time the user actually loged in (type user and password). It could be the case based on the console session settings.
  2. Yes they are.
  3. Session Lengths 30 days, Session Cache 10 minutes. default settings.

I dont think I fully understand the console sessions settings but from my point of view the users should never be prompted to relog. it is impractical. Only time it’s necessary is when the account password is modified.


#4

Hi @RbDev,

I have a few additional questions to help with troubleshooting this:

  1. What server version is everyone using?
  2. What Mattermost app version are they using?
  3. What iOS app version are they using
  4. Can you help share any logs from the time the issue takes place?

#5

Mattermost Server Version: Latest. 4.7.3
Mattermost iOS Version: Latest 1.6.1
iOS Version: Latest 11.2.6

The log looks like this

[2018/03/10 14:32:11 GMT] [INFO] /api/v4/users/me/teams/unread: code=401 rid=exfie7j94ibo9mf7wap8zqakhc uid= ip=192.168.1.94 Invalid or expired session, please login again. [details: UserRequired]
[2018/03/10 14:32:11 GMT] [INFO] /api/v4/users/me/teams/kuzmdm5orjf5mmet4kdcqckpge/channels/members: code=401 rid=dfy4eutyopy6pkb3npgemn9pbc uid= ip=192.168.1.94 Invalid or expired session, please login again. [details: UserRequired]
[2018/03/10 14:32:11 GMT] [INFO] /api/v4/users/me/teams/kuzmdm5orjf5mmet4kdcqckpge/channels: code=401 rid=sw6kyy368j8zuqupqpimjd8n8e uid= ip=192.168.1.94 Invalid or expired session, please login again. [details: UserRequired]
[2018/03/10 14:32:11 GMT] [INFO] /api/v4/users/status/ids: code=401 rid=rdzoy1kjrpf99p3np6gtp5d36h uid= ip=192.168.1.94 Invalid or expired session, please login again. [details: UserRequired]
[2018/03/10 14:32:11 GMT] [INFO] /api/v4/channels/members/me/view: code=401 rid=xy46hp5gh7ru7xwdkfzew8suso uid= ip=192.168.1.94 Invalid or expired session, please login again. [details: UserRequired]
[2018/03/10 14:32:11 GMT] [INFO] /api/v4/users/preferences: code=401 rid=no7r9yycjpgzurade6ens7mkgr uid= ip=192.168.1.94 Invalid or expired session, please login again. [details: UserRequired]
[2018/03/10 14:32:11 GMT] [INFO] /api/v4/channels/members/me/view: code=401 rid=3xj848nezjgdbfb4zs8cbypc8h uid= ip=192.168.1.94 Invalid or expired session, please login again. [details: UserRequired]

Cheers.


#6

Hi @RbDev,

That is indeed the intended behaviour as defined by those system console settings. By default, we want mobile sessions to expire in case the user loses their phone and someone else picks it up so that the amount of access that the other person has is limited.

You can increase the length of a mobile session if you’d like, and it’ll take effect after the next time that the users are made to log in again. I don’t think it’s possible to disable it entirely, but you could set it to a long time like a year.


#7

This is a very bad decision. Imagine if skype forced all the users to relog every month.
I suggest to implement a feature to disable session expiration and make it as default settings.


#8

I agree that it’s somewhat less convenient for end users when they get logged out monthly, but we chose to sacrifice some usability for a more security-concious solution here. As mentioned before though, you can set the session length to make it incredibly long so that session expiration virtually never happens.