Support #4554
openAuthorization lost on opening multiple tabs at the same time
0%
Description
I'm using Wt::Auth module with auth tokens (cookies).
In my app I have reload-is-new-session option set to true.
When I open multiple tabs at the same time, the auth cookie eventually gets lost. It seems to me that when the first opened tab is updating the cookie and its hash in DB, the second one can't find the user with the old auth token and clears the cookie.
AuthModel::processAuthToken updates the cookie, and in my case it happens in every Wt session every time I open a new tab. I want the auth session to be persistent across multiple Wt sessions in the same browser.
Am I doing something wrong? Should the auth cookie be updated in every Wt session?
Updated by Koen Deforche over 8 years ago
- Status changed from New to Feedback
That sounds like a bug: there is only one cookie per browser which is automatically shared by all tabs. That means that if a second tab updates the cookie, it's updated for all tabs (and there should not be any requests with an 'old' cookie). An auth cookie will always be updated when it's used (as a security measure), so that's normal.
Wt 3.3.1 is already quite old, so I'm not sure if something was fixed since 3.3.1 which explains the misbehavior. Can you see if you have the same issues still with Wt 3.3.5(rc2) ?
Updated by Alan Finley over 8 years ago
I can reproduce this issue in auth1 example for Wt 3.3.5(rc2).
Steps to reproduce:
- Build auth1 example from
examples/feature/auth1 - Register a new user.
- Check the 'Remember me' option and login as the registered user having checked.
- Quickly reload page several times. It can be done by hitting F5 or creating an anchor pointing to the root page and hitting it with the middle mouse button to open another tab.
- The auth cookie gets lost and the user is no more logged in.
Updated by Alan Finley over 8 years ago
As a workaround I've added token last update date column to the auth token DB table. In my processAuthToken call I check that date and update tokens and cookies only if the were updated previous time earlier than some interval (30 seconds).
Updated by Alan Finley over 8 years ago
Alan Finley wrote:
As a workaround I've added token last update date column to the auth token DB table. In my
processAuthTokencall I check that date and update tokens and cookies only if the were updated previous time earlier than some interval (30 seconds).
Finally that didn't help. This workaround only delays cookie loss by 30 seconds.
Another option is to have a static cookie cache inside an application that stores old-updated cookie pairs. If the auth service can't find user by a cookie value return from WEnvironment::getCookieValue, it tries to get the updated cookie value from that cache and then searches for user again.