Closed anku255 closed 4 months ago
In Server Side Rendering (SSR), we use the TryRefreshComponent
to refresh sessions.
If olderCookieDomain
is set when changing the cookieDomain
, clients with session cookies under the old domain will require multiple refresh cycles to update their expired session cookies. The useEffect
in TryRefreshComponent
doesn't run after the first cycle, causing the UI to stall at "Loading...". To resolve this, add a key
prop to TryRefreshComponent
to force re-rendering, ensuring useEffect
runs again.
Issue
There is an edge case where changing the cookieDomain config on the server can lead to session integrity issues. For instance, if the API server URL is 'api.example.com' with a cookie domain of '.example.com', and the server updates the cookie domain to 'api.example.com' the client may retain cookies with both '.example.com' and 'api.example.com' domains.
Consequently, if the server chooses the older cookie, session invalidation occurs, potentially resulting in an infinite refresh loop.
Solution
To fix this, users are asked to specify "olderCookieDomain" in the config. After this the flow would like -
apiDomain
: 'api.example.com'cookieDomain
: 'api.example.com'Flow:
domain=api.example.com
, but the access token has expired.cookieDomain
to.example.com
.domain=api.example.com
) results in a 401 response.domain=.example.com
.olderCookieDomain
is not set, the refresh fails with a 500 error.olderCookieDomain
is set.olderCookieDomain
is set, the refresh clears the older cookie, returning a 200 response.domain=.example.com
), resulting in a successful request.TODOs