-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Race condition on refresh with multiple tabs #22360
Comments
This bug seems to be isolated to Chrome based browsers. And once you're pulling the tab out into a new window these can be considered 2 browsers (and looks like they may no longer share a cookie storage) this should not be an issue for 2 tabs withing the same browser/window. |
I've been triaging this a bit, and too me it looks like it is indeed a race condition. In the I don't think this is related to it being in different windows and not sharing cookies. |
Im seeing the same however both windows end up with different cookies (one updated, and failed so not updated). Both windows ending up with different cookies for the same session would lose the ability for one tab to refresh the cookie and the other to pick it up, like they do as tabs on the same window, requiring them to have their own individual sessions. There are some things we could do to avoid the race condition itself however if these windows dont share a cookie storage that is a deeper problem and will keep causing one window to invalidate the other while they are sharing a session, on any refresh down the line not just this race condition. |
This is not what I'm seeing on my machine. See the attached video. I've got two Chrome windows open, first triggering a token refresh in one window, then in the second window. The refresh in the second window uses the cookie that was set in the first window. Or am I missing something here? Screen.Recording.2024-05-03.at.12.36.22.mov |
If so then the second refresh shouldnt be failing as it would be a valid token. I am having some trouble reproducing the issue today so will need some more research. |
Something along these lines is happening to us pretty regularly. It does seem to be related to multiple tabs, though I can't understand why. |
The same thing happens to me when I'm working on a collection and sometimes get redirected to the login page when I save the collection, but I don't get any specific error message indicating a problem. |
That actually sounds like an unrelated problem, if it specifically happens when saving a collection. You might want to leave the network tab of you developer tools open to see if there is any specific, failing request. And if it is unrelated open a separate issue. |
is this specifically related to 10.11.0 for you? i am experiencing a new issue that has the related invalid token error, but nothing to do with tabs or windows. it only took the first launch of the day (from a shutdown) for me to encounter this. i'm theorizing it could be a regression from #22353 |
Thats not a regression but rather a security fix surfacing a deeper issue which was obscured by insecure handling of the session token. Not that that detail matters if you're running into the issue, clear your cookies and be careful with multiple tabs is the current workaround and we're working on a permanent fix. |
Thank you for sharing your experience. Regarding the invalid token issue, I can confirm that I started encountering this on version 10.11.0. As for the race condition, it has been a problem since version 10.10.7. I'm considering a downgrade to version 10.10.5 as a temporary measure to see if that resolves the race condition issue without introducing other problems. Have you, or anyone else, experienced any improvements or other issues with earlier versions like 10.10.5?
Thank you for the clarification and the update on the security fix. I appreciate the insights and understand now that the issue with invalid tokens is not a regression but part of a security improvement. I will follow the suggested workaround of clearing cookies and being cautious with multiple tabs. Looking forward to the permanent fix. Thanks again for the swift response and for addressing these issues actively. |
Describe the Bug
Currently the /refresh endpoint is called whenever a tab becomes active. There is an issue where this sometimes gets called more than once from different tabs and causes a logout to occur.
I'm not sure if this can be fixed with a time delay or a retry.
To Reproduce
open 2 Directus tabs in the same browser. Make sure both tabs are alongside each other.
Move one tab out and notice that one of the directus projects will be logged out.
Screen.Recording.2024-05-02.at.12.09.49.mov
Directus Version
10.10.7
Hosting Strategy
Self-Hosted (Docker Image)
The text was updated successfully, but these errors were encountered: