invalid session key loop with oAuth 2 through Microsoft.

invalid session key loop with oAuth 2 through Microsoft.

by Nikolaas Dries -
Number of replies: 5

Hello


Several (but not all) users have reported the following issue. When attempting to log in to the website they get and 'invalid session key' error. The page they land on suggests that should try again. When they try again, the same thing happens. It seems they get stuck in a loop.

I have experienced this myself. The strange thing is: when I wanted to log on to this forum to write this very post, I got the same error. After two failed logins I got in.

Some details:

The page you land on after the error tells me my session may have timed out. When I click the link for more details the exact error is:

Moodle version: 3.2.1 (waiting for summer break to update)
Server: shared hosting (for now), linux

There has not been a recent update are change in settings.

What have I tried:
  • Different browsers (as user)
  • Clearing browser cache (as user)
  • Clearing session files on server.
  • Ran clean session script on the server
The website suggested this:
  1. Your site doesn't have the PHP setting "session.auto_start=0" (see Installing Moodle - software)
    As far as I can see, it does. Because it is shared hosting, I have asked my hosting company to verify this.)
  2. You logged out at some time between opening the form and submitting it.
    I don't think this applies, as we are talking about logging in.
  3. You have followed a bad link to a form script.
    I did see a forum post somewhere about oAuth2 with Google and a link that got too long. Something about maximum length of an argument string.
    If this is the problem, I don't see what I can do here.
  4. Your database has an incorrect value for sessioncookiepath in the mdl_config table.
    Can anyone point me to an article about this?
  5. You edited the code in a file on the server while logged in to your moodle website
    No code was eddited by me.

Any ideas?

Average of ratings: -
In reply to Nikolaas Dries

Re: invalid session key loop with oAuth 2 through Microsoft.

by Robert Schrenk -
Picture of Core developers Picture of Plugin developers

Hello,

We suffer from exactly the same issue. OAuth Login with Microsoft worked without any problems since months, but suddenly the Login randomly fails showing the "invalid sesskey"-message.

Have you figured out how to solve this?

Kind regards

Average of ratings: -
In reply to Robert Schrenk

Re: invalid session key loop with oAuth 2 through Microsoft.

by Nikolaas Dries -
Well ... in our case it seems that we were a bit click happy.

This is what works for us now:
  1. Surf to the moodle login page.
  2. Click the Microsoft-button to login.
  3. Wait ... until is has finished searching for, what I guess, are open sessions. So if I'm already signed on (to Microsoft sso) in the browser, I don't have to click anything else. After a short wait I get redirected to my Moodle homepage.

Just last week I had a conversation with our programmer. He took at a look at this process because he wants to make a similar login page for some of our own services. His opinion is that there is nothing else that can be done besides just pacing yourself.

(It takes quite a lot of self control not to just click your name when you see it appear).

I hope this works for you as well. If there's something I'm missing, please tell me. Anything to make it go a bit faster smile

Average of ratings: Useful (1)
In reply to Nikolaas Dries

Re: invalid session key loop with oAuth 2 through Microsoft.

by Robert Schrenk -
Picture of Core developers Picture of Plugin developers

Ok - do I understand you correctly:

When we start the login-process and have more than one potential microsoft-account, then microsoft automatically uses an account that is considered as "active" within the microsoft-system and tells Moodle in the background. If the user logs in in the meanwhile Microsoft will send another message in the background to Moodle, but in the meanwhile our session has changed because of the first attempt.

This would sound logically.

Average of ratings: -
In reply to Robert Schrenk

Re: invalid session key loop with oAuth 2 through Microsoft.

by Nikolaas Dries -
I must confess that I didn't get to the bottom of this.
It is probably more correct to say that the logon procedure looks for any active accounts. Even if there is only one.
In our environment we work with user profiles on Windows. It is not very common for these accounts to have more than one Microsoft used in them. (One user, one user profile in active directory, one Microsoft-account).
The rest of your conclusion sounds about right, although I think some more proficient programmers might be able to give more details.
Average of ratings: -
In reply to Nikolaas Dries

Re: invalid session key loop with oAuth 2 through Microsoft.

by Robert Schrenk -
Picture of Core developers Picture of Plugin developers
Hello,

finally I found a solution for that problem. You can pass a parameter to the microsoft-login that disables the auto-login. Edit your oauth-issuer for Microsoft and add the following in the field "additional login parameters": "prompt=select_account". You find other possible values here: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow

Kind regards

Robert
Average of ratings: Useful (1)