I was finally able to test this and after some work I could actually replicate it pretty consistently. So I looked into it and it's due to a pesky browser limitation with the samesite
attribute within the cookies. A previous commit was made to address login issues via iFrames and that commit introduced the samesite
attribute to the cookie. However, at the time of making the commit I didn't realize that browsers were starting to punish people using samesite=None
ergo why it doesn't work. So if you apply the below patch, clear all sessions, login again, wait for timeout to expire, get timed out, and login again it should actually let you instead of denying you over and over:
diff --git a/include/class.ostsession.php b/include/class.ostsession.php
index c6a72128..3d732249 100644
--- a/include/class.ostsession.php
+++ b/include/class.ostsession.php
@@ -259,7 +259,7 @@ class osTicketSession {
'domain' => ini_get('session.cookie_domain'),
'secure' => ini_get('session.cookie_secure'),
'httponly' => ini_get('session.cookie_httponly'),
- 'samesite' => !empty($ost->getConfig()->getAllowIframes()) ? 'None' : 'Strict'
+ 'samesite' => !empty($ost->getConfig()->getAllowIframes()) ? 'Lax' : 'Strict'
];
setcookie(session_name(), session_id(), $opts);
// Trigger expire update - neeed for secondary handlers that only