We are running a Mattermost server on a Ubuntu 16.4 EC2 server with RDS DB. Our users have been reporting “random” logouts from both desktop and mobile clients, which results in missed notifications/messages.
I have set Session Length AD/LDAP and Email (days) AND Session Length Mobile (days) to 365, but users are still reporting logouts.
My question is what is the expected behavior with regards to logout events with the above settings in place? Is there a way to search the logs for logout/login events to try and narrow down the timing/cause of a user logout or session termination? Should I be looking at our nginx config for clues here even though we are not getting any websocket-related errors?
I have searched through our logs with the uid of one of our users that have reported the issue but cannot find any evidence of a logout event (file log level is set to DEBUG). However, I am seeing DEBG entries “websocket.read: client side closed socket” entries for a lot of our users, though I suspect this is normal behavior when internet access is interrupted.
Any help or input here would be greatly appreciated as this has become a major pain point for our MM users.
Steps to reproduce
Unable to reproduce the issue.
Expected behavior
Users stay logged into their desktop and mobile clients for the full duration specified by the “AD/LDAP and Email (days)” AND “Session Length Mobile (days)” config settings.
Observed behavior
Users report logouts from desktop and mobile clients.
Unfortunately I do not have the client versions for everyone that has reported the logout problem, but I do know that some users are running the Andriod client. We also have a lot of users on the OSX client, but again I cannot verify the client versions or all of our users…
“From a security perspective, session expiry is to invalidate existing sessions that may have been compromised. These are absolute timeouts, not renewal timeouts. Increasing them is a balance between security and usability.”
I am still wondering if the issue described above is expected behavior relative to our existing session duration settings. Is there additional security in place that would cause a user logout event within the session duration timeframe?