Session Issue in my adaptation

[MaheshkumarSundaram]

Hi @neonexus ,

I am facing an issue. Please note, this issue is not specific to this new version. Stupid me, I just noticed this. So it has nothing to do with new version I suppose, as it exists in the older version of my adaption.

The issue scenario:

1. I start the web app
2. Login
3. Do some things on the webapp. It's fine until now.
4. Now, I close the tab the current tab and open another tab. Now, If I try to do some API related things; I get the 403 error. Also occurs when I duplicate tabs and do the same.

Although I adapted your code, the changes are mostly on the front-end & most of the backend code is the same as your boilerplate. I use MongoDB for the backend storage. But there has been never a problem with that so far.

When I tried to debug the issue, for some reason, the sessionId becomes null in isLoggedIn.js for the scenario.

Could you point me in the right direction why this might happen?

Thank you!

[neonexus]

This sounds like you might have secure cookies turned on, for a non-secure connection. This would make it so you could login, but the cookie wouldn't be retained, causing 403's.

[MaheshkumarSundaram]

In my config/session.js, cookie.secure is false.

Also, all the API calls work fine when I operate on a single tab.
The issue only occurs if I try to duplicate tabs. That's why I am not where exactly is the problem.

When I inspect the network details in Chrome, I could see the Cookie value of Request Headers is the same as a valid request would contain. But I am not sure why at the backend, this would get forbidden.

[neonexus]

Ah, this might be because of the CSRF token. If you modify, create, or delete data (POST, PUT or DELETE respectively), you spend the CSRF token, and get a new one.

It could be that your browser isn’t sharing sessionStorage data across tabs. Try updating the API handler for React (assets/src/data/api.js) to use localStorage instead.

[MaheshkumarSundaram]

Stupid me, I forgot that csrf gets regenerated for every data update. Indeed that's the issue. Thanks a lot @neonexus.

Although localStorage solves the problem, isn't this a security issue!? localStorage data would be retained even after the browser is closed right! Do I have to manually clear that out or do you recommend anything?

Thanks!

[neonexus]

I don't see this as a security issue, for 2 reasons:

If something can manage to get ahold of either sessionStorage or localStorage that is nefarious, then the user has much bigger problems.

Second, if the browser or the server decide the session has ended, the CSRF token is worthless, as tokens are tied to sessions, and it doesn't matter if it hangs out until the end of time. Next login will automatically replace it.

[MaheshkumarSundaram]

Ah makes sense. Very much appreciate your timely responses with appropriate explanations. Many thanks @neonexus.