Support #2997

Token hash collision

Added by Евгений Илюшин almost 9 years ago. Updated over 8 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:


Hi, in my server very often there is an exception "Wt: error during event handling: Token hash collision", after this query

select u."id", u."version", u."user_ref", u."password_hash", u."password_method", u."password_salt", u."status", u."failed_login_attempts", u."last_login_attempt", u."email", u."unverified_email", u."email_token", u."email_token_expires", u."email_token_role" from "auth_info" u join "auth_identity" i on = i.auth_info_id where (i.provider = $1) and (i.identity = $2)
update "auth_info" set "version" = $1, "user_ref" = $2, "password_hash" = $3, "password_method" = $4, "password_salt" = $5, "status" = $6, "failed_login_attempts" = $7, "last_login_attempt" = $8, "email" = $9, "unverified_email" = $10, "email_token" = $11, "email_token_expires" = $12, "email_token_role" = $13 where "id" = $14 and "version" = $15
select count(1) from "auth_token"  where (value = $1)

This only happens when the "Remember me" is selected.

Afte clean table auth_token work excellent.

Sometimes I have to clean cookies.

How to avoid this error ?


Updated by Koen Deforche almost 9 years ago

  • Status changed from New to Feedback
  • Assignee set to Koen Deforche


Either there's a programming error or the hashing function you are using is not well configured. What hashing function do you use and how long are the tokens that you allow? A hash collision should be extremely rare provided the hashing function and random generator are good and the tokens are sufficiently long? How many tokens do you have in the database when this occurs?




Updated by Евгений Илюшин almost 9 years ago

In auth_token more 50 records by authInfo id

I make this query to remove all old token after connect.

dbo::Transaction transaction(session_);
dbo::ptr<AuthInfo> authInfo = users_->find(login_.user());
session_.execute("delete from auth_token where auth_info_id = ? and id not in (select id from auth_token where auth_info_id = ? order by expires desc limit 1)").bind(;

And now i do't have token collisions !

I think it's not the best resolve :)


Updated by Евгений Илюшин over 8 years ago

Hi !

I got a new problem.

Users was saved session, open web page logged to another users !

How could this happen ?


Updated by Koen Deforche over 8 years ago


This all sounds suspect. I have no explanation for any of this, but what version of Wt are you using, in fact?

And what database?




Updated by Евгений Илюшин over 8 years ago

Version from 28-11-2013 Wt-3.3.0-rc3

Database Postgre SQL 9.0.10

I got a reverse side this problem, after open web site, user sees a white page, in the log file had record "Wt: fatal error: Query: resultValue(): more than one result" if cleaned the cookies and press F5 web page will load normal.


Updated by Koen Deforche over 8 years ago


Wt version 3.3.0 indeed did not clean cookies, this has since been implemented (see #1763).

Nevertheless I would not expect to see these problems --- unless your cookie id's are really short?

Btw. Wt-3.3.0-rc3 is from April 2013, not November?



Also available in: Atom PDF