Race condition on refresh with multiple tabs about directus HOT 12 OPEN

Hello,

I am encountering a similar issue to the one reported here. I frequently work with multiple tabs open in the latest version of Chrome, and often when I try to refresh one of the tabs, I am automatically logged out, particularly when I move a tab to a new window. In addition to this, after closing and reopening Directus a few hours later, I am presented with an "Unexpected Error [INVALID_TOKEN] Invalid token" message, as illustrated in the attached screenshot. Despite multiple refresh attempts, the problem persists. The temporary solution I have found is to clear the browser cache, which then redirects me back to the login page.

Is there a temporary workaround or a proposed fix while waiting for further updates? Are others experiencing the same issues, and is there a permanent solution to address these problems? Thank you for your attention and hard work in addressing these issues.

from directus.

This bug seems to be isolated to Chrome based browsers. And once you're pulling the tab out into a new window these can be considered 2 browsers (and looks like they may no longer share a cookie storage) this should not be an issue for 2 tabs withing the same browser/window.

from directus.

I've been triaging this a bit, and too me it looks like it is indeed a race condition.

In the AuthenticationService.refresh method I see two requests arriving nearly simultaneously, as far as I can tell caused by both tabs receiving a focus-in event at the same time, when one is pulled out. They both have the same refresh token and arrive at the same point time, one updates the database with a new token, then the other request checks for a matching token in the DB, which has been updated in the meantime and fails.

I don't think this is related to it being in different windows and not sharing cookies.

from directus.

They both have the same refresh token and arrive at the same point time, one updates the database with a new token, then the other request checks for a matching token in the DB, which has been updated in the meantime and fails.
I don't think this is related to it being in different windows and not sharing cookies.

Im seeing the same however both windows end up with different cookies (one updated, and failed so not updated). Both windows ending up with different cookies for the same session would lose the ability for one tab to refresh the cookie and the other to pick it up, like they do as tabs on the same window, requiring them to have their own individual sessions.

There are some things we could do to avoid the race condition itself however if these windows dont share a cookie storage that is a deeper problem and will keep causing one window to invalidate the other while they are sharing a session, on any refresh down the line not just this race condition.

from directus.

There are some things we could do to avoid the race condition itself however if these windows dont share a cookie storage that is a deeper problem and will keep causing one window to invalidate the other while they are sharing a session, on any refresh down the line not just this race condition.

This is not what I'm seeing on my machine. See the attached video. I've got two Chrome windows open, first triggering a token refresh in one window, then in the second window. The refresh in the second window uses the cookie that was set in the first window. Or am I missing something here?

from directus.

The refresh in the second window uses the cookie that was set in the first window.

If so then the second refresh shouldnt be failing as it would be a valid token. I am having some trouble reproducing the issue today so will need some more research.

from directus.

Something along these lines is happening to us pretty regularly. It does seem to be related to multiple tabs, though I can't understand why.

from directus.

The same thing happens to me when I'm working on a collection and sometimes get redirected to the login page when I save the collection, but I don't get any specific error message indicating a problem.

from directus.

The same thing happens to me when I'm working on a collection and sometimes get redirected to the login page when I save the collection, but I don't get any specific error message indicating a problem.

That actually sounds like an unrelated problem, if it specifically happens when saving a collection. You might want to leave the network tab of you developer tools open to see if there is any specific, failing request. And if it is unrelated open a separate issue.

from directus.

Hello,

I am encountering a similar issue to the one reported here. I frequently work with multiple tabs open in the latest version of Chrome, and often when I try to refresh one of the tabs, I am automatically logged out, particularly when I move a tab to a new window. In addition to this, after closing and reopening Directus a few hours later, I am presented with an "Unexpected Error [INVALID_TOKEN] Invalid token" message, as illustrated in the attached screenshot. Despite multiple refresh attempts, the problem persists. The temporary solution I have found is to clear the browser cache, which then redirects me back to the login page.

Is there a temporary workaround or a proposed fix while waiting for further updates? Are others experiencing the same issues, and is there a permanent solution to address these problems? Thank you for your attention and hard work in addressing these issues.

is this specifically related to 10.11.0 for you? i am experiencing a new issue that has the related invalid token error, but nothing to do with tabs or windows. it only took the first launch of the day (from a shutdown) for me to encounter this. i'm theorizing it could be a regression from #22353

from directus.

i'm theorizing it could be a regression from #22353

Thats not a regression but rather a security fix surfacing a deeper issue which was obscured by insecure handling of the session token. Not that that detail matters if you're running into the issue, clear your cookies and be careful with multiple tabs is the current workaround and we're working on a permanent fix.

from directus.

is this specifically related to 10.11.0 for you? i am experiencing a new issue that has the related invalid token error, but nothing to do with tabs or windows. it only took the first launch of the day (from a shutdown) for me to encounter this. i'm theorizing it could be a regression from #22353

Thank you for sharing your experience. Regarding the invalid token issue, I can confirm that I started encountering this on version 10.11.0. As for the race condition, it has been a problem since version 10.10.7. I'm considering a downgrade to version 10.10.5 as a temporary measure to see if that resolves the race condition issue without introducing other problems. Have you, or anyone else, experienced any improvements or other issues with earlier versions like 10.10.5?

Thats not a regression but rather a security fix surfacing a deeper issue which was obscured by insecure handling of the session token. Not that that detail matters if you're running into the issue, clear your cookies and be careful with multiple tabs is the current workaround and we're working on a permanent fix.

Thank you for the clarification and the update on the security fix. I appreciate the insights and understand now that the issue with invalid tokens is not a regression but part of a security improvement. I will follow the suggested workaround of clearing cookies and being cautious with multiple tabs. Looking forward to the permanent fix. Thanks again for the swift response and for addressing these issues actively.

from directus.