jfa-go icon indicating copy to clipboard operation
jfa-go copied to clipboard
verified publisher icon hrfee

Frequent Logouts: Token Refresh Fails Due to Duplicate refresh Cookies

Open MuhammadBayiz opened this issue 6 months ago • 2 comments

I have been experiencing an issue for a while, including previous stable versions, where I am forced to log in again almost every time I refresh the jfa-go web interface.

Upon inspecting the network traffic in my browser's developer tools, I've identified that the request to the /token/refresh endpoint is failing with a 400 Bad Request status. The server responds with a JWT error.

The root cause appears to be that the browser is sending two refresh cookies in the request header, which likely confuses the server-side token validation logic.

Steps to Reproduce

  1. Log in to the jfa-go application.
  2. Navigate to any page within the admin interface (e.g., /admin/accounts).
  3. Refresh the browser page. (Sometimes it doesn't logout)
  4. Observe that you are logged out and redirected to the login page.

Expected Behavior

The session should persist after a page refresh. The token refresh mechanism should work silently in the background, keeping the user logged in without any interruption.

Actual Behavior

The user is logged out on almost every page refresh, requiring a new login. The token refresh call fails with a "JWT was invalidated" error.

Technical Details

Here is a sanitized curl command of the failing request captured from the browser's network inspector. Note the presence of two refresh cookies in the -b (cookie) header.

cURL

# Note: Sensitive information such as domain, cookies, and tokens have been redacted.

curl 'https://[your-jfa-go-domain]/token/refresh' \
  -H 'accept: */*' \
  -H 'accept-language: en-US,en;q=0.9,ar;q=0.8,ku;q=0.7' \
  # The cookie header below contains two 'refresh' cookies, which is likely the cause of the issue.
  -b 'refresh=[REDACTED_JWT_TOKEN_1]; refresh=[REDACTED_JWT_TOKEN_2]' \
  -H 'dnt: 1' \
  -H 'priority: u=1, i' \
  -H 'referer: https://[your-jfa-go-domain]/admin/accounts' \
  -H 'sec-ch-ua: "Google Chrome";v="137", "Chromium";v="137", "Not/A)Brand";v="24"' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'sec-ch-ua-platform: "Windows"' \
  -H 'sec-fetch-dest: empty' \
  -H 'sec-fetch-mode: cors' \
  -H 'sec-fetch-site: same-origin' \
  -H 'sec-gpc: 1' \
  -H 'user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36'

Server Response:

The server responds with the following error message and a 400 Bad Request status code:

JSON

{"response":"","error":"JWT was invalidated, of incorrect type or has expired"}

MuhammadBayiz avatar Jun 07 '25 20:06 MuhammadBayiz

happen every refresh pages

gitcook avatar Jun 24 '25 15:06 gitcook

The two refresh cookies, what hosts/domains and path do they have? In firefox you can check in DevTools > Storage > Cookies.

hrfee avatar Jul 18 '25 11:07 hrfee