Fix for page overlay sidebar authentication failure #18569
Closed
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
Fixes #18538
When using the page overlay feature, the
notifyParentIframe
call intermittently gets sent without a session cookie. This is quite random and only occurs approximately once in every 20-30 calls. It appears to be a race condition related iframe access to cookies.Because there is no session cookie then a new session is started and the response to the
notifyParentIframe
sets a new session cookie which invalidates the session, this is apparent when theloadSidebar
call is made shortly after and thetoken_auth
is rejected and the user is forcibly logged out.Without a solution to the race condition issue this PR is a workaround to prevent the session breaking. It's not possible to check the session cookie via javascript so a server side check is implemented which will remove the
set-cookie
header when responding to anotifyParentIframe
without any cookies.To recreate:
notifyParentIframe
notifyParentIframe
call in the console, it will be missing a request session cookie and will receive a set cookie for a new sessionWith this fix the
notifyParentIframe
call will still be made without a session cookie, but no set cookie will be returned in the response and the session will not break.See also L3-197
Review