Benjamin Bradley wrote:
I traced through the code (hooray open source) and was able to skirt the issue by disabling session expiration. (comment out $rcmail_config['session_lifetime'] or set it to '')
My research showed that the rcmail_authenticate_session() function was being called twice per request. On the first attempt to log in (cleared sessions table), the function returns true the first time and then false the second time. Subsequent requests return false both times. It was getting set to false on this line: if (!empty($CONFIG['session_lifetime']) && isset($SESS_CHANGED) && $SESS_CHANGED + $CONFIG['session_lifetime']*60 < time()) $valid = false;
I cannot confirm that rcmail_authenticate_session() is called twice per request. It is only called by index.php and this is only run once per request. Of course index.php is also run on ajax requests which are sent periodically (every 60 seconds) to keep up the session by updating the changed date in the sessions table.
Unfortunately I cannot reproduce these timeouts. Please add the following code at the end of rcmail_authenticate_session(), right before return $valid; and send me the logged data which will be written to logs/authenticate
write_log('authenticate', $_SERVER['REQUEST_URI'] . "; changed = " . date('r', $SESS_CHANGED) . "; valid = $valid");
With this info I might be able to find the "real" reason for the session timeout problem.
Regards, Thomas