angular-auth-oidc-client icon indicating copy to clipboard operation
angular-auth-oidc-client copied to clipboard
verified publisher icon damienbod

[Bug]: Duplicating tabs while using refresh tokens breaks session

Open mcrumpto opened this issue 3 years ago • 4 comments

What Version of the library are you using? 12.0.3

Describe the bug If you set up an application to use refresh tokens to renew the access token and use the default storage, duplicating tabs in Chrome will cause the sessions to become invalid. This is due to tab duplication also duplicating the session storage and therefore two different tabs both have the same refresh token and as soon as the second token attempts to update then the token family is invalid.

To Reproduce Steps to reproduce the behavior:

  1. Load a page and authenticate
  2. Duplicate the tab
  3. Wait for both tabs to attempt to refresh the access token

Expected behavior Unsure

Desktop (please complete the following information):

  • OS: Windows 10
  • Browser Chrome
  • Version 97.0.4692.99

mcrumpto avatar Jan 24 '22 15:01 mcrumpto

Hello, is there any update about this issue (any estimations, root causes, possible workarounds)? We are having the same problem for a long time (with v11.6.11, v12.0.3 and v13.1.0). From our use cases, it is really common for our users to have multiple tabs because they need it most of the time. However they are logged out of the session when there are multiple tabs, and it is really frustrating for them.

soners avatar Jan 31 '22 10:01 soners

Hi @soners I have tried this and not experienced this problem (v13)

If session storage is used, the tokens are not shared and you should have no problem. If local storage is used, this could possibly be a problem.

Greetings Damien

damienbod avatar Jan 31 '22 12:01 damienbod

If you duplicate a tab in Chrome it duplicates the session storage.

mcrumpto avatar Jan 31 '22 12:01 mcrumpto

Thank you so much for the suggestion. Yes we were using localStorage for AbstractSecurityStorage. After replacing localStorage with sessionStorage I thought it was fully solved but I was able to reproduce once more. I guess replacing with sessionStorage did not fully solve, just made it harder to happen. Do you happen to know any other reasons that prevents silent refresh from kicking in? (v11.6.11)

soners avatar Feb 02 '22 17:02 soners

Any update to this issue?

greengumby avatar Oct 31 '22 09:10 greengumby

I can confirm this is still an issue, any one looking into this?

JGrant-Mastrin avatar Feb 22 '23 06:02 JGrant-Mastrin

Does this happen in version 15?

Greetings Damien

damienbod avatar Feb 22 '23 06:02 damienbod

I just tested this after upgrading to version 15 and can confirm this still happens.

JGrant-Mastrin avatar Feb 22 '23 07:02 JGrant-Mastrin

Anyone looking for a workaround this piece of code does seem to do the trick.

I got this from here https://stackoverflow.com/questions/56868153/session-storage-not-being-cleared-when-duplicating-tabs

<script>
	// Clear session storage in case user duplicated tab on chrome
	(function () {
		try {
			window.addEventListener('beforeunload', function (event) {
				window.sessionStorage.removeItem('__lock');
			});

			if (window.sessionStorage.getItem('__lock')) {
				window.sessionStorage.clear();
				console.warn('Found a lock in session storage. The storage was cleared.');
			}

			window.sessionStorage.setItem('__lock', '1');
		} catch {
			// Bad data, only care about good data
		}
	})();
</script>

JGrant-Mastrin avatar Feb 22 '23 07:02 JGrant-Mastrin