Authentication error on OC_JSON::checkLoggedIn()

[tanghus]

Why does OC_User::isLoggedIn() return non-true (or whatever the ambiguous PHP value is) when calling OCP\JSON::checkLoggedIn() after a while (an hour or so)?

I keep getting

{"data":{"message":"Authentication error"},"status":"error"}

back when I haven't made an ajax request or refreshed for some time.

https://github.com/owncloud/core/blob/master/lib/json.php#L36

[blizzz]

maybe your session run out? Could be an Ajax triggered background job.

[tanghus]

I'm still logged in when I refresh, so the session should still be good. Or do I misunderstand PHPs session mechanism?

[blizzz]

No, you're right.

[arkascha]

Just want to add my description of aparently the same issue.
Thomas gave me the hint that this entry might be the same issue, I agree with that.
I cite my mail to the list below, since I think it can offer additional info:

---

since about 2 weeks I encounter a funny issue in git master when firing an
ajax request under certain circumstances:

ownClouds WebUI loads fine, but ajax requests fail. Error message:
{"data":{"message":"Authentication error"},"status":"error"}

Aparently this only happens when a session existed before and has expired.
When I use a reload inside the browser then the above issue happens. No
problem after a fresh login, so it is not an implementation problem of that
ajax script.

Secons aspect: when I get this error I would like to re-login (though that is
pretty annoying). So I now click the 'logout' button the page reloads instead
of sending me to the login page. I have to logout a second time to be
able to login again. After that procedure all works fine again, including the
ajax request. That problem started about 2 weeks ago, I cannot remember a
single incident like this before although I tested a lot with sessions and
expiration about 2 month ago when implementing the self-extending CSRF tokens
myself.
Since that CSRF-implementation has been altered (simplyfied) inbetween I dare
to say that most likely the issue has been introduced with those changes... I
suspect that unlike before the CSRF tokens are not refreshed any more in
background and expire. That is a big problem for apps that do not require a
full reload all the time but load only once.

[LukasReschke]

I'll look into this as soon as I have some spare time.

[arkascha]

I experienced this problem again today using an up to date git master (02.01.2013):
I aparently had a valid session, since I could reload (deep reload) the current app inside owncloud without problems and without being prompted for a re-login. However, the app was useless, since aparently all ajax requests failed.
The problem was fixed as soon as I forced a logout and made a re-login. All fine afterwards, so it clearly is not a problem of the apps code. Instead it appears the ajax requests fail due to a problem with the request tokens. Note that this token must have been reloaded when the whole app was refreshed in a full page reload (even a deep reload). Still it seems to be invalid...

[agners]

Just installed ownCloud 5.0.0 beta 1 on Ubuntu 12.04.2 LTS. I tried to upload a 180MiB file, which took about 10-20 minutes, but ended in Authentification error (actually in german, "Authentifizierungs-Fehler") each time I tried. The last time I refreshed in a second browser tab every five minutes. The upload then succeeded...
The installation is pretty much standard, no user database backend or anything additionally installed so far...

[BernhardPosselt]

Please reopen if the pull request didnt fix this

[tanghus]

As mentioned in #1938:
Why do we destroy the session at all? We've already had one lifebeat function that was removed because it didn't work if the PC was suspended or hibernated. To me it doesn't make much sense to destroy the session after a timeout, and then implement a way to prevent it.

[BernhardPosselt]

The main problem is that i want to keep the window open for instance when using the RSS reader. The session times out after a certain time according to frank because PHP. Thats why I've brought it back ;)

As for hibernation: This is a rare usecase and isnt annoying because it happens only when you hibernate.

[agners]

Thx, the issue at hand on my server is solved using latest github snapshot!

[agners]

Sorry, for me this message still appears. It's PITA to verify the bug since it takes so long to wait :-) But my problem seems to be related to the session id regeneration, so I created a new bug, see #1950