Users logged out of Mattermost clients


#1

Summary

We are running a Mattermost server on a Ubuntu 16.4 EC2 server with RDS DB. Our users have been reporting “random” logouts from both desktop and mobile clients, which results in missed notifications/messages.

I have set Session Length AD/LDAP and Email (days) AND Session Length Mobile (days) to 365, but users are still reporting logouts.

My question is what is the expected behavior with regards to logout events with the above settings in place? Is there a way to search the logs for logout/login events to try and narrow down the timing/cause of a user logout or session termination? Should I be looking at our nginx config for clues here even though we are not getting any websocket-related errors?

I have searched through our logs with the uid of one of our users that have reported the issue but cannot find any evidence of a logout event (file log level is set to DEBUG). However, I am seeing DEBG entries “websocket.read: client side closed socket” entries for a lot of our users, though I suspect this is normal behavior when internet access is interrupted.

Any help or input here would be greatly appreciated as this has become a major pain point for our MM users.

Steps to reproduce

Unable to reproduce the issue.

Expected behavior

Users stay logged into their desktop and mobile clients for the full duration specified by the “AD/LDAP and Email (days)” AND “Session Length Mobile (days)” config settings.

Observed behavior

Users report logouts from desktop and mobile clients.


#2

Hi @jtor! There have been a few similar reports on this just recently so I’ll ask the team about this.

In the meanwhile, can you help with more details on your Mattermost server version, desktop app version, and mobile app version?


#3

Thanks @amy.blais for your follow up.

Mattermost Version: 4.9.1
Database Schema Version: 4.9.0
Database: mysql

Mattermost client (Windows) 4.0.1
Mattermost client (iOS) 1.8.0

Unfortunately I do not have the client versions for everyone that has reported the logout problem, but I do know that some users are running the Andriod client. We also have a lot of users on the OSX client, but again I cannot verify the client versions or all of our users…

Thanks again for your help.


#4

Hi @jtor - Response from our security team:

“From a security perspective, session expiry is to invalidate existing sessions that may have been compromised. These are absolute timeouts, not renewal timeouts. Increasing them is a balance between security and usability.”


#5

@amy.blais - thank you, that makes sense.

I am still wondering if the issue described above is expected behavior relative to our existing session duration settings. Is there additional security in place that would cause a user logout event within the session duration timeframe?


#6

Hi @jtor! I created a ticket here for our QAs to investigate: https://mattermost.atlassian.net/browse/MM-11319 (as I also mentioned in the desktop Issue).