Session Mismatch when forum open in 2 tabs

[skeddles]

So far this plugin seems to be working fine. And this issue wasn't happening at the start, but just started happening consistently.

I am able to browse the forum fine from a single tab. When i open the forum in a second tab, and go back to the first one is says

Session Mismatch
It looks like your login session is no longer active, or no longer matches with the server.
Please refresh this page.

The only change I can remember making was changing the url in nodebb's config.json, setting it to my forums proper url (it was unconfigured before), in order to fix an issue with the emoji plugin. Before that, it was whatever the default setting for nodebb is, and i didn't have any other issues.

My cookie changes setting is set to re-validate, but it seems like every new page is regenerating the session and not seeing the old one. The express.sid cookie gets deleted and recreated whenever you open a new tab. It's like it can never find the old cookie on page load.

Any ideas?

[julianlam]

@skeddles Are you using latest master? If so, can you switch back to v1.16.x just to see if that fixes it?

It may be related to some new session re-roll logic we added for security...

[skeddles]

Do you mean for nodebb or the plugin? I don't believe I've updated either since installing the plugin a week or two ago.

I've got this:

(perhaps i just need to update the plugin, didn't notice there was a new one)

[skeddles]

@skeddles Are you using latest master? If so, can you switch back to v1.16.x just to see if that fixes it?

It may be related to some new session re-roll logic we added for security...

After downgrading the forum to 1.16 the bug has disappeared, so it sounds like you were right that something is broken in the latest one.

[julianlam]

@skeddles thanks for confirming! I'm not entirely sure how we can resolve this since the session rolling logic was implemented for security purposes... I will think on this and come up with a solution 👍

[julianlam]

I talked with @barisusakli about this and it is indeed related to the session reroll logic I added. You're seeing the session mismatch error, but this is actually intentional, since a new login causes the cookie to be replaced. This is done properly on the new tab, but the old tab still has the old cookie loaded, hence the mismatch. It throws the modal so it can cause a page refresh and you will apply the new cookie.

For session sharing, of course, if you have re-validate set on, then it means you just get a new cookie again, and the other tab gets the mismatch :facepalm:

So I'll see about excluding session-sharing from the reroll logic.

[julianlam]

v4.7.1, latest NodeBB required (or v1.17.2, when released)