Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-66175

Invalidsesskey error if starting oauth2 login process when already logged in

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 3.6.3
    • Fix Version/s: None
    • Component/s: Authentication
    • Labels:
    • Affected Branches:
      MOODLE_36_STABLE

      Description

      DESCRIPTION
      The user has the Moodle login page open in a browser tab but is already authenticated to Moodle in another tab.  If the user attempts to initiate the oauth2 login process from the second tab, an "invalidsesskey" error is received

       Your session has most likely timed out. Please log in again.
          ×Debug info:
          Error code: invalidsesskey
          ×Stack trace:
          line 494 of /lib/setuplib.php: moodle_exception thrown
          line 85 of /lib/sessionlib.php: call to print_error()
          line 30 of /auth/oauth2/login.php: call to require_sesskey()

      STEPS TO REPLICATE
      One time set-up:
      1. Setup an Oauth2 Microsoft service per the documentation, https://docs.moodle.org/36/en/OAuth_2_Microsoft_service.
      2. Open the Moodle login page, <rooturl>/login/index.php.
      3. Click Microsoft button.
      4. From Microsoft Pick an account page, use another account and enter username
      5. Enter password, leave "Stay signed in" unselected, and click Sign in. 
      6. Successfully redirected to Moodle.  A Moodle account is created for the user during this initial login.
      7. Logout.
      Replication:
      1. Close all Internet windows.
      2. Open new Chrome browser.
      3. Open the Moodle login page, <rooturl>/login/index.php.
      4. Click Microsoft button.
      5. From Microsoft Pick an account page, use another account and enter username
      6. Enter password, leave "Stay signed in" unselected, and click Sign in. 
      7. Successfully redirected to Moodle.
      8. Logout of Moodle.
      9. Open Tab2 and go to Moodle login page, <rooturl>/login/index.php
      10. Tab1: Click "Log in" and then click Microsoft button.  Microsoft Pick an account page briefly displays then successfully redirected back into Moodle.
      11. Tab2: click Microsoft button. 

      OBSERVED BEHAVIOR:
      Your session has most likely timed out. Please log in again.

          ×Debug info:
          Error code: invalidsesskey
          ×Stack trace:
          line 494 of /lib/setuplib.php: moodle_exception thrown
          line 85 of /lib/sessionlib.php: call to print_error()
          line 30 of /auth/oauth2/login.php: call to require_sesskey()

      EXPECTED BEHAVIOR:
      User logged in in second tab without error.

      REPLICATION LOCATIONS
      Replicated on 3.5.3 and 3.6.3.

      ADDITIONAL INVESTIGATION NOTES
      If the user tries to visit the login page while already authenticated to Moodle, the user receives a message stating "You are already logged in as <Name>, you need to log out before logging in as different user".  However if the user had already loaded the login page in multiple tabs while not authenticated to Moodle this could allow for the opportunity to attempt oauth2 authentication while already logged in.

      Repeating the same process using manual authentication does not produce an error.  When the user tries to login again in the second tab, the login process proceeds normally without any errors.

      Based on user reports, I highly suspect that there are other scenarios with oauth2 authentication which produce this invalidsesskey error, but this is the only specific scenario I have been able to replicate.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              brian.winstead Brian Winstead
              Participants:
              Component watchers:
              Jake Dallimore, Jun Pataleta, Ryan Wyllie
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: