Sign-in needed twice

Reply to Sign-in needed twice on Wed, 18 Sep 2019 11:00:54 GMT

nebulon — Wed, 18 Sep 2019 11:00:54 GMT

This has been fixed now with https://git.cloudron.io/cloudron/box/commit/2bde023d4dc783761553a0a7be88650e5885b4ad and should be part of the next release.

Reply to Sign-in needed twice on Tue, 17 Sep 2019 20:24:39 GMT

nebulon — Tue, 17 Sep 2019 20:24:39 GMT

Actually this was easy to reproduce for me now and at least here it is bound to the server process restarting. I guess we should finally move to persistent sessions then.

Reply to Sign-in needed twice on Tue, 17 Sep 2019 20:19:42 GMT

nebulon — Tue, 17 Sep 2019 20:19:42 GMT

The issue may be either the csrf protection in the login form itself, or the session timeout/expiration. I've checked that the cookie maxAge is 600000 seconds, so this is unlikely the root case I assume, but maybe if the Cloudron process, which holds the session in-memory is restarted, the session will get invalidated and a fresh login form will be presented.
I have to test this though on my own as well. In case you can reproduce this easily, that would be great to know how.

Reply to Sign-in needed twice on Tue, 17 Sep 2019 18:01:14 GMT

yusf — Tue, 17 Sep 2019 18:01:14 GMT

No, 2FA is not activated in this case.

Reply to Sign-in needed twice on Tue, 17 Sep 2019 17:54:54 GMT

girish — Tue, 17 Sep 2019 17:54:54 GMT

If this is using 2FA, this is most likely because the token "window" was too small. This is fixed in 4.2 (not released) - https://git.cloudron.io/cloudron/box/blob/master/CHANGES#L1656

Reply to Sign-in needed twice on Tue, 17 Sep 2019 15:26:52 GMT

murgero — Tue, 17 Sep 2019 15:26:52 GMT

@yusf Using 2fa? I have this issue too. It looks like cloudron caches the 2FA token when the login page is loaded as opposed to during login submission. At least, that's what it looks like to me. I get around this by waiting to submit the login data until the 2fa code is about 10-15 seconds to expiring.

Though may not be related here.