Sessions and CSRF - osFAQ.org

Agent password reset page loops -- entering email/username refreshes the page and strips the token from the URL

Apply the session revert patch from: https://github.com/osTicket/osTicket/pull/6766/commits/416b548bd812188fec62c89fe8bfb0a3128731a1 to class.ostsession.php (remove the green/added lines, restore the red/removed lines). After patching: restart the web server and PHP-FPM, run TRUNCATE ost_session in the…

New user registration via a guest ticket link results in an infinite loop -- user cannot log in after clicking confirmation email

This is a known Guest User session conflict bug in v1.18.2. The guest session from the ticket view is not cleanly terminated before the new account session begins. The permanent…

Guest user token links to view tickets intermittently break -- the link works sometimes but redirects to login other times.

This is the known Guest User session bug in v1.18.2 caused by a session patch that was introduced to fix one problem and inadvertently broke another. Revert class.ostsession.php to the…

Session/authentication issues -- users get stuck in login loops, cannot log in, or are kicked out. Clearing cookies temporarily fixes it.

The root fix for v1.18.2 session issues is to revert the class.ostsession.php patch: https://github.com/osTicket/osTicket/pull/6766/commits/416b548bd812188fec62c89fe8bfb0a3128731a1 (remove lines added in green, restore lines removed in red). After patching: restart webserver and PHP-FPM,…

Guest user ticket access token links work sometimes but other times redirect to the login page where the user cannot log in. Clearing cookies fixes it.

This is the Guest User session bug in v1.18.2. Revert the session patch from: https://github.com/osTicket/osTicket/pull/6766/commits/416b548bd812188fec62c89fe8bfb0a3128731a1 (remove the green lines, restore the red lines in class.ostsession.php). After reverting: restart the webserver…

osTicket shows 'Authentication Required' error after upgrade from an old version. Clearing cookies fixes it temporarily but sessions expire quickly.

Truncate the ost_session table in the database and clear all browser cookies/cache/sessions (or use an incognito window). Disable 'Bind Agent Session to IP' in Admin Panel > Settings > Agents.…

Ticket links sent to end-users intermittently redirect to login or ask for email and ticket number instead of auto-authenticating.

Enable the auth token setting: Admin Panel > Settings > Tickets > enable the option that allows unauthenticated access via token. This is a known Guest User session issue in…

Authentication Required error on osTicket after upgrade. Agents get logged out and cannot log back in until browser cookies are manually cleared.

Disable 'Bind Agent Session to IP' (Admin Panel > Settings > Agents). TRUNCATE the ost_session table in the database. Clear all cache/cookies/sessions in the browser (or use an incognito window).…

'Authentication Required' loop on scp/login.php with 'Invalid CSRF Token' errors. Session works for a few minutes after truncating ost_session then fails again. Site is behind Cloudflare.

The root cause was a 'Header set Set-Cookie' directive in .htaccess that was overwriting all cookie headers and losing the PHP session variable. Changing 'Header set Set-Cookie' to 'Header add…

Agent/user sessions time out randomly after upgrading to 1.18.3. Default timeout is set to 0 but sessions still expire.

The session behavior flip-flopped across versions: v1.18.1 and below had Guest User session issues; the fix in v1.18.2 caused Agent/User session issues; v1.18.3 reverted back to only Guest User issues.…