Skip to content

Stateless authentication cookie and JWT expiration is not refreshed at every request #18895

New issue
New issue
Closed
#18994
Closed
Stateless authentication cookie and JWT expiration is not refreshed at every request#18895
#18994
Assignees
mcollovati
Labels
Impact: HighSeverity: Majorbug
@mcollovati

Description

@mcollovati
mcollovati
opened on Mar 6, 2024

Description of the bug

When setting stateless authentication for a Hilla application, the signed JWT token is stored in a browser cookie. The expiration time of both token and cookie is configurable.

In the JWT Expiration paragraph of the documentation, it is mentioned that the JWT and cookie expiration time should be based on the last server request.

However, currently the expiration time is set after login and never updated.
After the expiration time is passed, the cookie is removed, even if the user is actively interacting with the application.

The issue may be caused by this change in Spring Security 6:
https://docs.spring.io/spring-security/reference/servlet/authentication/session-management.html#requireexplicitsave

VaadinWebSecurity should probably make so that JwtSecurityContextRepository.saveContext() is explicitly invoked for every request.

Additional note: setting requireExplicitSave(false) as mentioned in the Spring Security documentation, seems to cause other issues, such as login failing if it happens concurrently with other requests (e.g. a UIDL request or a resource to be loaded)

Expected behavior

The JWT and cookie expiration time are updated at every server request, as mentioned in the docs.

Minimal reproducible example

  • Create a Hilla application configured to use stateless authentication: npx @vaadin/cli init hilla-auth --hilla --auth
  • Open the application at http://localhost:8080 and login
  • Inspect one of the requests (e.g. in Chrome dev tools network panel) and verify the JWT cookie is present. Take not of both the cookie Expires/Max-Age time and the JWT token "exp" claim value (e.g. use https://jwt.io/ to decode it); they should be the same
  • After a while, interact with the application to trigger a request to the server (e.g. press the "Say hello" button in "Hello World" view) and verify that the expiration time on both cookie and JWT token are not changed.

Versions

  • Vaadin / Flow version:24.3 (but probably all versions based on Spring Security 6)
  • Java version: 17
  • OS version:

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

Labels

Impact: HighSeverity: Majorbug

Type

No type

Projects

Vaadin Flow bugs & maintenance (Vaadin 10+)

  • Status

    ✅ Closed
Vaadin Flow ongoing work (Vaadin 10+)

  • Status

    Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions