[PB-46094] Session Timeout on Windows Desktop App

[thomasSSSC]

Hi, my team self hosted passbolt. I'm having issues with session timeout, but only on the Windows App, the web app works fine. I was told by my company that they set the logout to 8 hours, but my desktop app will log me out after 5 or sometimes 1 hour. This doesn't seem to be a problem for anyone else.

This is the configuration of my company's passbolt:
System info:
– Server operating system name and version => Running in AWS EKS cluster on Debian GNU/Linux 12 (bookworm)
– Web server name and version => nginx/1.22.1
– Database server name and version => PostgreSQL 16.0 on x86_64-pc-linux-gnu
– Php version => PHP 8.2.18
– Passbolt version => 4.8.0

Healthcheck:

Healthcheck shell
Environment

[PASS] PHP version 8.2.18.
[PASS] PHP version is 8.1 or above.
[PASS] PCRE compiled with unicode support.
[PASS] Mbstring extension is installed.
[PASS] Intl extension is installed.
[PASS] GD or Imagick extension is installed.
[PASS] The temporary directory and its content are writable and not executable.
[PASS] The logs directory and its content are writable.

Config files

[PASS] The application config file is present
[WARN] The passbolt config file is missing in /etc/passbolt/
[HELP] Copy /etc/passbolt/passbolt.default.php to /etc/passbolt/passbolt.php
[HELP] The passbolt config file is not required if passbolt is configured with environment variables

Core config

[PASS] Cache is working.
[PASS] Debug mode is off.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://*****
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.

SSL Certificate

[PASS] SSL peer certificate validates.
[PASS] Hostname is matching in SSL certificate.
[PASS] Not using a self-signed certificate.

SMTP settings

[PASS] The SMTP Settings plugin is enabled.
[PASS] SMTP Settings coherent. You may send a test email to validate them.
[WARN] The SMTP Settings source is: env variables.
[HELP] It is recommended to set the SMTP Settings in the database through the administration section.
[WARN] The SMTP Settings plugin endpoints are enabled.
[HELP] It is recommended to disable the plugin endpoints.
[HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
[HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.

JWT Authentication

[PASS] The JWT Authentication plugin is enabled.
[PASS] The /etc/passbolt/jwt/ directory is not writable.
[PASS] A valid JWT key pair was found.

GPG Configuration

[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server OpenPGP key is not the default one.
[PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in /etc/passbolt/passbolt.php.
[PASS] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.
[PASS] The server public key format is Gopengpg compatible.
[PASS] The server private key format is Gopengpg compatible.

Application configuration

[PASS] Using latest passbolt version (4.8.0).
[PASS] Passbolt is configured to force SSL use.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[INFO] The Self Registration plugin is enabled.
[INFO] Registration is closed, only administrators can add users.
[PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.
[WARN] Host availability checking is disabled.
[HELP] Make sure this instance is not publicly available on the internet.
[HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
[HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
[PASS] Serving the compiled version of the javascript app.
[WARN] Some email notifications are disabled by the administrator.
[PASS] The database schema up to date.

Database

[PASS] The application is able to connect to the database
[PASS] 31 tables found.
[PASS] Some default content is present.

[PASS] No error found. Nice one sparky!

[krzys128]

You are not alone ;). I've experienced the same problem. I supposed connection would be cut by some firewalls/other network timeouts. So I asked our network team to diagnose network traffic between windows app and Passbolt server.
As the result they pointed that Windows application after 10-15 minutes of inactivity sends FIN packet to the Passbolt server and close TCP connection :( I have already asked about it in Passbolt forum but .. not asnwer until now .

[scadra]

Hey @thomasSSSC,

Is the problem still present ?

@krzys128,

Sorry for the delay, we will need more informations about your use case. Looks the alarm use to check the session is not running on your case. I propose to jump to your topic.

[scadra]

A ticket PB-35224 has been created to track this topic

[thomasSSSC]

Yes this issue still persists @scadra. Passbolt logs me out as soon as I close the app or even when I wait an hour.

[krzys128]

@thomasSSSC - join our discussion on passbolt community and share your case .

[scadra]

@thomasSSSC

It is expected when the app is closed to be logout. Regarding the issue we have tried to reproduce the issue without success and we need more clarification :

• Your app comes from the windows app ?
• Do you have limitation regarding the windows system ? Limitation ? Sleep mode forced ?

The objective is to find a solution to unblock you and to reproduce this issue. A debug version should comes to the next release which should allows us to track the timeout.

Just for some clarification, for the moment the windows app is not build to support low privilege configuration (RDS,...)

[scadra]

@thomasSSSC

A new debug tools has been released to support this kind of use case : See the release download.

Is it possible for you to download it and check on the background devtools the different calls before signout automaticly ?

Thanks in advance

[scadra]

@thomasSSSC a fix has been deployed with the new release 1.4.0

[thomasSSSC]

Hi @scadra, I apologize for my late reply. I will check the release to confirm the issue was fixed. And if not I would be happy to respond more frequently to your questions and to work more closely with you on tackling this problem.

[thomasSSSC]

I just tested and I'm still facing the same issue. I confirmed the version for the Passbolt Desktop app is 1.4.0.0

[scadra]

Can you confirm you do not have error into the console when using the debug version ?
And can you send the duration when you are logout ?

[thomasSSSC]

I reached out to my IT department, and was told I need a Developer License to install and run the Debug tool passbolt-windows_1.4.0.0_Debug.zip. Is there an alternative option?