Session/token issue after logging out and logging back in.

[tomflanagan]

I posted this on the Drupal page as well so I am sorry for the repeat.

I am running into an issue where if I login, logout and then log back in, I run into "CSRF validation failed" errors. My suspicion is there is a problem with logout functionality deleting session in the mobile app but not properly making a logout call to the drupal CMS. I see an issue where the token that is being passed does not match what Drupal expects it to be for the current logged in user. I put some log statements in _services_sessions_authenticate_call. The token the mobile application is consistently not matching what Drupal thinks the logged in token should be after the first login.

I am logging watchdog('My Token', $csrf_token); watchdog('expected token', drupal_get_token('services'));

Initially these match up but then they stop after I logout and log back in.

Also I am noticing that in jdrupal-7.0.5 that when a user logs in, in the success function another call is made to get a token which appears to be different for some reason then the token that is provided from the login. Shouldn't we be using the token we are getting from the login?

I am using services 7.x-3.20

[signalpoint]

I posted this on the Drupal page as well so I am sorry for the repeat.

No problem, I just closed the other one and marked as a duplicate.

I am noticing that in jdrupal-7.0.5 that when a user logs in, in the success function another call is made to get a token which appears to be different for some reason then the token that is provided from the login. Shouldn't we be using the token we are getting from the login?

A long time ago, the login call did not return the new token, so I set up jDrupal to automatically retrieve the new token after logging in. Since the login call now returns the new token (it's been a couple of years now since it does this), I never got around to updating jDrupal to just use the new token returned from the login result. However, I am fairly certain that the token that is returned after logging in, is the same token that you would get if you manually asked for the token after logging in.

If the tokens are mismatching, I'd suspect you either have a CORS issue, or perhaps your application is running in a different domain (e.g. a subdomain) than your Drupal site. Both of these will cause weird session/token problems.

@tomflanagan Your thoughts?

[tomflanagan]

@signalpoint Currently, I am running locally and the mobile application is on the same domain. So the Drupal site is mysite.com and the application is mysite.com/mobile-application so I don't think it's a CORs issue. What's also weird is sometimes everything matches and we are good. Always on the inital login. I have also dropped my mobile-application into cordova and ran from an IOS simulator with the same result. The other notable thing that makes me think logging out is the kickoff is that after logging out from the /mobile-application, I am still logged in at mobile-site.com root. I am going to keep digging...

[signalpoint]

@tomflanagan

The other notable thing that makes me think logging out is the kickoff

I'd check for any contrib/custom modules on your site that are hooking into (or customizing) the logout process.

Also, I'm sure you've checked, but perhaps watchdog is catching some type of PHP error with more clues.

[tomflanagan]

@signalpoint Authcache was the culprit! Thanks for the help!

[tomflanagan]

I should have caught that much sooner!