Reports of user logged out twice today - related to recent auth tokens changes?

Thanks @Sam - I’ll let you know if I see a recurrence.

I don’t see any downside to always accepting previous token, this just effectively doubles the window of attack but if the window is ~10 minutes and the new window is ~20 minutes that does not seem like a big deal.

Also the paranoid can surely turn it down to ~5 minutes via the site setting of how long token grace period is, yes?


Sort of, it increases the window of attack quite a lot under certain conditions:

  • Jan 1 Token A is issued
  • Feb 1 Token A is rotated and B is issued and confirmed (user leaves site in less than 10 mins)
  • Feb 10 User returns
    • Under a laxer scheme we still accept Token A
    • Under current scheme we do not accept Token A cause Token B was issued and confirmed.

So, it is marginally less secure.

I am open to relaxing the rules here, but it does seem my previous fix is required for cases where “requests are trapped in a Safari webkit time travelling queue”, cause it is totally conceivable they could send us a token that was rotated many times since when you return to the tab and it replay requests.


OK, up to you – I don’t have a strong opinion on it other than simplifying the code.

I found myself logged out of my forum when I opened the Discourse native iOS app this morning :frowning:

Haven’t seen similar happen on meta in the native app. Will keep an eye on things and let you know if it happens again.

A couple of more fixes over the weekend and today to allow for iOS crazy

It seems that in certain cases

  • We give webkit on iOS a new cookie
  • It echos this cookie back to us
  • (time passes)
  • It sends us the old cookie instead of the new one (as if it did not flush the new cookie to disk)

I added a fix to allow for this situation better and a subsequent bugfix to the fix.


Much appreciate your attention to detail. Cheers @Sam :thumbsup:

Stuff has been looking much better on our side, will close this in 3 more days unless someone keeps seeing issues.


Likewise, no issues reported in my forum since we last spoke. Thanks @Sam

4 posts were split to a new topic: 500 error when logging in – plugin related?

This topic was automatically closed after 3 days. New replies are no longer allowed.

Reopened cause this issue is still happening, current issue is that once cookie gets corrupt, cause browser did not write it to disk users get a 500 error.

I am fixing that so at least they are simply logged off.


Ah yes, I guess therefore a simple logout and login fixed the error 500 issue for me?

Yes, that would be it, I am fixing the edge case here, what browser were you using when you experienced the issue here.

I honestly never knew it would be this hard to convince web browsers to write a cookie to disk.

It happened to me on our hosted Discourse instance (by you) several times today. I’m using Chrome 56.0.2924.87 (64-bit) on Windows 10.

1 Like

I enabled verbose auth token logging on your instance, let me know when it happens next

I hate to leave this topic open forever, but yet again we saw the exact issue across various browsers.

I just made some changes to adjust the process of dealing with invalid tokens a bit. In particular I eliminated the chance of getting the 500 errors people were seeing, added more logging and handled a corner case where we are presented with old tokens a bit better.

Let’s see how it goes.


I just had it on our site again. Same browser, I hope the error helps you in fixing the issue.

Thanks! just redeployed my fixes from earlier on to your site, can you ping me again next time it happens.

You should not see a 500 error anymore, but a random logout is possible.

Can you tell me a bit more about how you are using your browser, do you have lots of tabs open to your site?