Added cookie mismatch detection, display an error message informing the user to clear cookies

CHANGELOG

@@ -3,6 +3,7 @@ CHANGELOG Roundcube Webmail
 
 - Update to jQuery 3.4.0
 - Clarified 'address_book_type' option behavior (#6680)
+- Added cookie mismatch detection, display an error message informing the user to clear cookies
 - Password: Added ldap_exop driver (#4992)
 - Elastic: Add Prev/Next buttons on message page toolbar (#6648)
 - Elastic: Close search options on Enter key press in quick-search input (#6660)

index.php

@@ -205,24 +205,14 @@ else if ($RCMAIL->task == 'logout' && isset($_SESSION['user_id'])) {
 else if ($RCMAIL->task != 'login' && $_SESSION['user_id']) {
     if (!$RCMAIL->session->check_auth()) {
         $RCMAIL->kill_session();
-        $session_error = true;
+        $session_error = 'sessionerror';
     }
 }
 
 // not logged in -> show login page
 if (empty($RCMAIL->user->ID)) {
-    // log session failures
-    $task = rcube_utils::get_input_value('_task', rcube_utils::INPUT_GPC);
-
-    if ($task && !in_array($task, array('login','logout'))
-        && !$session_error && ($sess_id = $_COOKIE[ini_get('session.name')])
-    ) {
-        $RCMAIL->session->log("Aborted session $sess_id; no valid session data found");
-        $session_error = true;
-    }
-
-    if ($session_error || $_REQUEST['_err'] == 'session') {
-        $OUTPUT->show_message('sessionerror', 'error', null, true, -1);
+    if ($session_error || $_REQUEST['_err'] === 'session' || ($session_error = $RCMAIL->session_error())) {
+        $OUTPUT->show_message($session_error ?: 'sessionerror', 'error', null, true, -1);
     }
 
     if ($OUTPUT->ajax_call || $OUTPUT->get_env('framed')) {

program/include/rcmail.php

@@ -716,6 +716,40 @@ class rcmail extends rcube
         }
     }
 
+    /**
+     * Detects session errors
+     *
+     * @return string Error label
+     */
+    public function session_error()
+    {
+        // log session failures
+        $task = rcube_utils::get_input_value('_task', rcube_utils::INPUT_GPC);
+
+        if ($task && !in_array($task, array('login', 'logout')) && ($sess_id = $_COOKIE[ini_get('session.name')])) {
+            $log   = "Aborted session $sess_id; no valid session data found";
+            $error = 'sessionerror';
+
+            // In rare cases web browser might end up with multiple cookies of the same name
+            // but different params, e.g. domain (webmail.domain.tld and .webmail.domain.tld).
+            // In such case browser will send both cookies in the request header
+            // problem is that PHP session handler can use only one and if that one session
+            // does not exist we'll end up here
+            $cookie          = rcube_utils::request_header('Cookie');
+            $cookie_sessid   = $this->config->get('session_name') ?: 'roundcube_sessid';
+            $cookie_sessauth = $this->config->get('session_auth_name') ?: 'roundcube_sessauth';
+
+            if (substr_count($cookie, $cookie_sessid.'=') > 1 || substr_count($cookie, $cookie_sessauth.'=') > 1) {
+                $log .= ". Cookies mismatch";
+                $error = 'cookiesmismatch';
+            }
+
+            $this->session->log($log);
+
+            return $error;
+        }
+    }
+
     /**
      * Auto-select IMAP host based on the posted login information
      *

program/localization/en_US/messages.inc

@@ -19,6 +19,7 @@ $messages['errortitle']  = 'An error occurred!';
 $messages['loginfailed']  = 'Login failed.';
 $messages['cookiesdisabled'] = 'Your browser does not accept cookies.';
 $messages['sessionerror'] = 'Your session is invalid or expired.';
+$messages['cookiesmismatch'] = 'Cookies mismatch detected. Clear cookies in your browser, please.';
 $messages['storageerror'] = 'Connection to storage server failed.';
 $messages['servererror'] = 'Server Error!';
 $messages['servererrormsg'] = 'Server Error: $msg';