User gets logged out on page refresh

Summary

Using Apache reverse proxy on fresh install with email/passowrd- every time user logs in and browser page is refreshed user is logged out. ( also opening new tab in same browser asks for login again ). If page is not refreshed everything works- sending messages , using system console etc.

Steps to reproduce

How can we reproduce the issue (what version are you using?)

Mattermost:
Version: 5.1.0
Build Number: 5.1.0
Build Date: Fri Jul 13 19:03:45 UTC 2018
Build Hash: 54994502241bf40bebd9a9d7719c58f708aef5b1
Build Enterprise Ready: true
DB Version: 5.1.0

Proxy : Apache/2.4.10 ( Debian ) on separate server.

Apache vhost config:

<VirtualHost xxx.xxx.xxx.xxx:80>
    ServerName some.sub.domain
    ServerAdmin xxx@xxx.xx

    ErrorLog ${APACHE_LOG_DIR}/mattermost-error.log
    CustomLog ${APACHE_LOG_DIR}/mattermost-access.log combined

    # Enforce HTTPS:
    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
</VirtualHost>
<VirtualHost xxx.xxx.xxx.xxx:443>
    ServerName some.sub.domain
    ServerAdmin xxx@xxx.xx

    ErrorLog ${APACHE_LOG_DIR}/mattermost-error.log
    CustomLog ${APACHE_LOG_DIR}/mattermost-access.log combined

    RewriteEngine On
    RewriteCond %{REQUEST_URI} ^/api/v[0-9]+/(users/)?websocket [NC,OR]
    RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC,OR]
    RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
    RewriteRule .* ws://192.168.0.29:8065%{REQUEST_URI} [P,QSA,L]
    RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
    RewriteRule .* http://192.168.0.29:8065%{REQUEST_URI} [P,QSA,L]
    RequestHeader set X-Forwarded-Proto "https"
    RequestHeader set X-Forwarded-Ssl 'on'

    RequestHeader unset If-Modified-Since
    RequestHeader unset If-None-Match

    <LocationMatch "/api/(?<version>v[0-9]+)/(?<users>users/)?websocket$">
            Require all granted
            ProxyPassReverse ws://192.168.0.29:8065/api/v%{env:MATCH_VERSION}/%{env:MATCH_USERS}websocket
            ProxyPassReverseCookieDomain 192.168.0.29 some.sub.domain
    </LocationMatch>
    <Location />
            Require all granted
            ProxyPassReverse http://192.168.0.29:8065/
            ProxyPassReverseCookieDomain 192.168.0.29 some.sub.domain
    </Location>
    SSLEngine on

    SSLCertificateFile /etc/apache2/server.crt  # valid trusted  certificate
    SSLCertificateKeyFile /etc/apache2/server.key
    SSLCertificateChainFile /etc/apache2/gd_bundle-g2-g1.crt

    ProxyPreserveHost On
    ProxyRequests Off
 </VirtualHost>

In mattermost config SiteURL is set to “some.sub.domain”.

Mattermost log:

{"level":"info","ts":1533836758.4524226,"caller":"mux/mux.go:162","msg":"Invalid session","error":"GetSession: Invalid session token=t8m9pyxb43deigaty8tnwybanw, err=<no value>, "}
{"level":"info","ts":1533836765.1927357,"caller":"mux/mux.go:162","msg":"Invalid session","error":"GetSession: Invalid session token=15or6ies5fyedd7yuimp87hpxo, err=<no value>, "}
{"level":"error","ts":1533836768.9420962,"caller":"app/websocket_router.go:94","msg":"websocket routing error: seq=1 uid= WebSocket connection is not authenticated. Please log in and try again. [details: ]"}
{"level":"info","ts":1533836769.7385144,"caller":"mux/mux.go:162","msg":"Invalid session","error":"GetSession: Invalid session token=r1ro6ywifbfffbfm3heutpktpr, err=<no value>, "}
{"level":"error","ts":1533836772.8043542,"caller":"app/websocket_router.go:94","msg":"websocket routing error: seq=1 uid= WebSocket connection is not authenticated. Please log in and try again. [details: ]"}
{"level":"info","ts":1533836773.4485762,"caller":"mux/mux.go:162","msg":"Invalid session","error":"GetSession: Invalid session token=tmjrn16fjpynfxd8do3yc5x4rc, err=<no value>, "}
{"level":"error","ts":1533836789.3535001,"caller":"web/handlers.go:142","msg":"Invalid or missing channel_id parameter in request URL","path":"/api/v4/channels/posts","request_id":"uw48b6atk7rnjmoh577kosqwjy","ip_addr":"xxx.xxx.xxx.xxx","user_id":"h4cu98hajpdziqfoc74o489ido","method":"GET","err_where":"Context","http_code":400,"err_details":""}
{"level":"info","ts":1533836791.8211064,"caller":"mux/mux.go:162","msg":"Invalid session","error":"GetSession: Invalid session token=au7i6m57xtg8u8bue7bq84sxbr, err=<no value>, "}
session","error":"GetSession: Invalid session token=pqbxfukzrjgpinpq1dngxcwrjh, err=<no value>, "}

Hi @myhkam, thanks for reaching out!

Can you also help share your Session related settings?

    "SessionLengthWebInDays": 30,
    "SessionLengthMobileInDays": 30,
    "SessionLengthSSOInDays": 30,
    "SessionCacheInMinutes": 10,
    "SessionIdleTimeoutInMinutes": 70,

This sounds similar to this ticket except the issue there is with desktop app / mobile: https://mattermost.atlassian.net/browse/MM-11319.

@myhkam Do you see any browser console errors in addition to the server logs you shared?

Only info in console:

After logging in
21:22:49.696 websocket connecting to wss://chat.xxx.xx/api/v4/websocket websocket_client.jsx:35:12 

After/on reloading page 
21:23:04.664 websocket closed 0.04f385f9485b24b06ab9.js:1:803014
21:23:04.740 Navigated to https://chat.xxx.xx/webware/channels/town-square
21:23:06.765 websocket connecting to wss://chat.xxx.xx/api/v4/websocket websocket_client.jsx:35:12 

I can log in from both app and browser, and both will work fine side by side, buf if I refresh either of them it will log out that one.

@myhkam Letting you know that I’ve asked our devs and any community members to look at this and I’ll let you know once I get feedback.

@myhkam That sounds like there may be a problem either passing or storing one of the two tokens needed by the client since the browser needs both of those to remember that it’s logged in. I’m not familiar with how Apache’s routing works, but you’d need to make sure that the MMAUTHTOKEN and MMUSERID cookies make it through to the client. If you you’re using Chrome, you can click on the “Secure” to the left of the address bar, click on Cookies, and then find them for your server where they should look like this
image