[Bug]: Duplicating tabs while using refresh tokens breaks session #1366
Comments
|
Hello, is there any update about this issue (any estimations, root causes, possible workarounds)? We are having the same problem for a long time (with v11.6.11, v12.0.3 and v13.1.0). From our use cases, it is really common for our users to have multiple tabs because they need it most of the time. However they are logged out of the session when there are multiple tabs, and it is really frustrating for them. |
|
Hi @soners I have tried this and not experienced this problem (v13) If session storage is used, the tokens are not shared and you should have no problem. If local storage is used, this could possibly be a problem. Greetings Damien |
|
If you duplicate a tab in Chrome it duplicates the session storage. |
|
Thank you so much for the suggestion. Yes we were using localStorage for AbstractSecurityStorage. After replacing localStorage with sessionStorage I thought it was fully solved but I was able to reproduce once more. I guess replacing with sessionStorage did not fully solve, just made it harder to happen. Do you happen to know any other reasons that prevents silent refresh from kicking in? (v11.6.11) |
|
Any update to this issue? |
|
I can confirm this is still an issue, any one looking into this? |
|
Does this happen in version 15? Greetings Damien |
|
I just tested this after upgrading to version 15 and can confirm this still happens. |
|
Anyone looking for a workaround this piece of code does seem to do the trick. I got this from here <script>
// Clear session storage in case user duplicated tab on chrome
(function () {
try {
window.addEventListener('beforeunload', function (event) {
window.sessionStorage.removeItem('__lock');
});
if (window.sessionStorage.getItem('__lock')) {
window.sessionStorage.clear();
console.warn('Found a lock in session storage. The storage was cleared.');
}
window.sessionStorage.setItem('__lock', '1');
} catch {
// Bad data, only care about good data
}
})();
</script> |
What Version of the library are you using?
12.0.3
Describe the bug
If you set up an application to use refresh tokens to renew the access token and use the default storage, duplicating tabs in Chrome will cause the sessions to become invalid. This is due to tab duplication also duplicating the session storage and therefore two different tabs both have the same refresh token and as soon as the second token attempts to update then the token family is invalid.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Unsure
Desktop (please complete the following information):
The text was updated successfully, but these errors were encountered: