Reports of user logged out twice today - related to recent auth tokens changes?

sam · February 28, 2017, 3:51pm

A couple of more fixes over the weekend and today to allow for iOS crazy

It seems that in certain cases

We give webkit on iOS a new cookie
It echos this cookie back to us
(time passes)
It sends us the old cookie instead of the new one (as if it did not flush the new cookie to disk)

I added a fix to allow for this situation better and a subsequent bugfix to the fix.

github.com/discourse/discourse

FIX: attempt to handle ios edge case where token is seen but unsaved

committed 10:09PM - 26 Feb 17 UTC

SamSaffron

+51 -11

This relaxes our security in the following way - prev auth token is always acce…pted as long as rotation date is within our window of SiteSetting.maximum_session_age.hours (previously old token expired within a minute of new one being seen) - new auth token is marked unseen if we are presented with an old token after we already saw new one This attempts to fix an issue where ios webkit is not committing new cookies

Topic		Replies	Views
Logged out of forum on iOS Bug	6	1605	September 25, 2017
Discourse ios app logged me out every time I reopen it Bug	9	1650	February 20, 2017
500 internal server error at first page call in the morning Bug	3	1297	March 7, 2017
Was logged out when trying to load an admin page Bug	2	1092	February 28, 2017
New beta causing frequent logouts in Safari on mobile Bug	20	1261	July 18, 2019

Reports of user logged out twice today - related to recent auth tokens changes?

Related topics