we're troubleshooting an issue at an onsite customer where a user is kicked out of the 9.1 webclient several times each day.
One of the leads I'm following is the fact that the logfile complains that "X-XSRF-TOKEN HTTP header not valid", so I'm trying to dig into how XSRF tokens are handled in the GUI, and if this could cause user to be logged out, or if the errormessage is a consequence of another issue.
My understanding of XSRF in SuperOffice thus far is this;
- The XSRF token is generated serverside, and remains the same during the entire session. Logging out and back in, or logging in from another browser will assign a new token.
- The token is delivered in two ways from the server to the client - both in a HTML element called 'XSRF_TOKEN', and in a cookie called 'XSRF-TOKEN'.
- When navigating in the GUI many requests are done back to the server, and the token is sent to the server via Cookie for absolutely all requests (even for static images). I don't think sending XSRF token in cookie back to server is used for anything. Token could probably have been stored in local storage instead.
- Requests to the new REST API at /SuperOffice/api/... (typically for getting data for archives) will include a HTTP header called X-XSRF-TOKEN. This is the scenario where the token is actually required since server will return a 400-error if the header does not contain the correct token.
- By intentionally breaking the XSRF token in the GUI (by editing the HTML code for XSRF_TOKEN in Chrome developer tools, and changing the value of the XSRF-TOKEN), and navigating in the client I can observe HTTP Status Code 400 errors from some of the calls. However I'm not logged out.
- Some of the requests from the GUI to the REST API will use the XSRF token retrieved from HTML element, while other requests will use the value from the XSRF-TOKEN cookie.
- I am not sure if WebTools uses X-XSRF-TOKEN, but from the stacktrace in the netserver logfile it might seem so.
Hopefully someone can confirm, ammend or refute some of my assumptions above, so that we can get a good understanding of how this works.
Can problems with XSRF token cause user session to be terminated?