Login Session Issue

vthanhweb · November 4, 2023, 5:27am

Hi Radzen Team,

I am experiencing a login issue with a Blazor Server Project created by Radzen Blazor Studio. Please follow these steps:

Create a Blazor Server Application using Radzen Blazor Studio.
Connect to the MySQL database.
Add security based on ASP.NET Core Identity with default settings.
Run the project, log in with admin/admin, and create a new user (a@gmail.com).
Log in as user 'a@gmail.com' in the Chrome browser.
Open the Microsoft Edge browser at https://localhost:5001 -> redirect to the login page -> OK.
Take a coffee break and do nothing for a 30-minute period (sometimes 20 minutes or 60 minutes) (important).
Open the Microsoft Edge browser at https://localhost:5001 -> redirect to the login page -> still OK.
Refresh the Chrome browser (important).
Open the Microsoft Edge browser at https://localhost:5001 -> already logged in as user 'a@gmail.com' -> Issue.
Continuously refresh the Microsoft Edge browser for a 2-minute period.
The Microsoft Edge browser redirects to the login page after a 2-minute period.

I have recorded a video of the process
https://www.youtube.com/watch?v=mNt99mcxKxE

What is this error, and how can it be addressed?

korchev · November 4, 2023, 8:37am

Hi @vthanhweb,

This is indeed strange. However I couldn't reproduce it locally. Refreshing the second browser never caused automatic login to happen. By the way I added this code to reduce the session timeout.

builder.Services.ConfigureApplicationCookie(options =>
{
    options.ExpireTimeSpan = TimeSpan.FromSeconds(30);
    options.SlidingExpiration = false;
});

I inserted it just before var app = builder.Build(); in Program.cs.

The login is entirely relying on the built-in ASP.NET Core Identity. You can try debugging the application to see when the CurrentUser method of the AccоuntController class is called.

vthanhweb · November 4, 2023, 8:52am

Hi korchev

I have debug many time in other new project. It the same.

Refreshing the web browser for a logged-in user who has been inactive for a long time (approximately 20 to 60 minutes and not close browser) will make all sessions as this user for a duration of 2 minutes.

CurrentUser method always return user 'a@gmail.com' duration of 2 minutes affter refresh browser.

korchev · November 4, 2023, 8:59am

I can't reproduce this behavior in local tests. Maybe I am missing something. Please try with the suggested code to reduce the session expiration and see if you can reproduce this in a more predictable manner.

korchev · November 4, 2023, 9:06am

Can you try something?

Replace this code in Program.cs:

builder.Services.AddHttpClient("AppName").AddHeaderPropagation(o => o.Headers.Add("Cookie"));

with this

builder.Services.AddHttpClient("AppName")
                .ConfigurePrimaryHttpMessageHandler(() => new HttpClientHandler
                {
                    UseCookies = false
                }).AddHeaderPropagation(o => o.Headers.Add("Cookie"));

It seems that cookies can be cached.

korchev · November 4, 2023, 11:02am

I conducted further research and managed to reproduce the problem. It seems to be related to session sliding expiration and the default cookie caching done by HttpClient.

When the user logs in one browser and then opens http://localhost:5001 in another browser everything is fine. If however some time before the session expires browser 1 is refreshed something happens in ASP.NET internally and the cached cookie from browser 1 is reused in browser 2. I tested with 30 second session with sliding expiration enabled:

builder.Services.ConfigureApplicationCookie(options =>
{
options.ExpireTimeSpan = TimeSpan.FromSeconds(30);
});

and reloaded the home page after 20 seconds via this code in Index.razor.cs.

        protected override void OnInitialized()
        {
            new System.Threading.Timer(async _ =>  // async void
            {
                timer ++;       

                if (timer == 20)
                {
                    try {
                        NavigationManager.NavigateTo("/", true);
                    } 
                    catch (Exception ex)
                    {
                    }  
                }
                await InvokeAsync(StateHasChanged);
            }, null, 0, 1000);
        }

Setting UseCookies to false seems to solve the problem. At least I wasn't able to reproduce it for more than 2 hours of testing.

The solution is this:

builder.Services.AddHttpClient("AppName") // "AppName" is your application name and will be different
                .ConfigurePrimaryHttpMessageHandler(() => new HttpClientHandler
                {
                    UseCookies = false // <-- disable cookie caching
                }).AddHeaderPropagation(o => o.Headers.Add("Cookie"));

Let me know if this fixes the issue for you. To avoid waiting for the entire session interval reduce it to a shorter interval.

vthanhweb · November 4, 2023, 12:37pm

Hi korchev

I have tried multiple times, disable cookie caching has resolved my issue.

Thank you so much

BTW: Can you add a "disable cookie cache" option in Radzen Blazor Studio?

korchev · November 4, 2023, 1:15pm

Yes, it will be on by default with the next release.