Handling errors with “Session token is expired.” for automatic (anonymous) users #4799
Comments
|
Hi @AlexGingell this is a known issue for the anonymous sessions. They will effectively expire after their expiration time. That would be interesting to either:
Given the current state of the SDK's, the latter solution would be probably the one that is more suited. What do you think? |
|
Hi @flovilmart Thank you for the incredibly fast response. I'm glad it's not because I'm doing something silly. The two solutions you propose seem equivalent in terms of user experience. I assume by "regenerate a session" you mean you would create a new session token / session for the user. In this case, it would be preferable to me to simply extend the validity of the current token, because it would produce less clutter in the database, avoiding a proliferation of invalid tokens/sessions. The "Expire inactive session" server setting - does this not do anything then? What constitutes inactivity? At face value this makes it seem like the session would expire if the user didn't perform any operation for a set time period, but there is nowhere to set that time period and it may be vestigial. Extending the sessions when they are in use would be fine, but if the user puts down the app for 2 years and then picks it up again, we would want their automatic user session token to extend even if it had become invalid in the interim. What do you think should be done? This seems like a high priority given that the default session length is 1 year and Parse Server has been around for longer than this now. |
Yes this is something that need to be addressed, but, if you do not plan to have expiring sessions, you can very well for now set all your sessions expiration dates in a distant future right from mongodb. |
|
@flovilmart I would certainly appreciate any help you could give me. I have around 3.18 million sessions in our database and, frankly, I'm not used to editing them directly and I'm afraid to break anything! I am heartened by your responses though, and looking forward to solving this issue for our users. Is the session length used dynamically in the sense that a users session expiry date is updated each time they log in, or is the expiry date set on creation of the anonymous PFUser? I'm just wondering if I update the session length to 3 years (for example) if that will only apply to new PFUsers, or would extend the expiry date for existing users. |
|
The session expiration is a date set on the expiresAt field. So you’re right, setting to 3 years affects all users. I’ll try to work on a workaround that makes the anonymous users sessions with expanding expiration date |
|
@flovilmart but is the expiresAt field set only on creation (using the session length at time of creation) or is it something that is updated dynamically every time the PFUser is saved (for example)? I have migrated to Parse Server v2.6.2 and extended session length to three years, but I still see these invalid session token logs. This suggests that new users are going to be just fine for 3 years, but all previous users are still marching towards (or beyond) their 1 year expiresAt limit. In fact, since moving to v2.6.2 I notice additional new "bad request" errors that were not present in 2.3.2: I can try moving to v2.7.2 - just wondering which version of node you recommend for it? |
|
First you should probably move to 2.8.1, as 2.6.2 is quite old. Also, as I mentioned; this is expected, the expiresAt is set only once, on creation and never updated. |
|
@flovilmart Understood - I was confused when you said "So you’re right, setting to 3 years affects all users." Nodechef (who we're hosted with) only support up to v2.7.2 at this time. We're now on Node.js v6.11.1 and Parse v2.6.2. I see that Parse Server 2.7 requires at least Node 6.11.4. We only have the option of 6.11.1 or moving up to between 7.0 and 8.9.0. Do you recommend a particular version of node for Parse 2.7.2 and above? Thank you for your excellent support! |
|
I would recommend to stick to the latest version as we provide bug fixes only for the latest versions. Also, it is known that nodechef runs a fork of parse-server so I can’t speak to the compatibility with the open source project. Node 6 is retired and not supported anymore, the LTS version is 8.10. You should update it as well (or let nodechef know that it’s oudated) |
|
@flovilmart Thank you for the advice. I've managed to get us to Node.js v7.10.1 and Parse v2.7.2. I know these are both outdated, but it's a start. I will contact Nodechef, and in the meantime, explore the possibility of resetting all expiresAt fields manually to mitigate token problems until your solution is applicable. I'll monitor this and be on hand to help if I can. I appreciate your time and effort - thank you! :) |
|
Yep, you should ask NodeChef for that or directly from mongodb. |
|
@flovilmart I just updated all our sessions giving them an expiresAt date in 2021, and I can confirm that this appears to fix the error code 209 issue (or at least works around it until a solution is implemented in Parse Server). I was working with users with this issue, and the second I did that, all the problems righted themselves and they were able to synchronise with our database. I haven't seen a "Session token is expired" error since doing that. We still seem to get some "invalid session token" and errors in the logs. We also still see: and This last error only started appearing today after I migrated from Parse Server v2.3.2 / Node.js v6.11.1. I'm tempted to downgrade and see if this goes away. We have about 45k DAU today, and I'm seeing these bad requests or 'cannot modify user' errors every 5-10 minutes or so in the logs. EDIT: I downgraded to Parse v2.3.2 and Node.js v6.11.1. I no longer see BadRequestError request aborts, though 101, 206 errors still persist. I realise we're now off-topic, but it's not clear why users can't be modified or sessions are invalid. |
|
This was a very useful thread, thanks! Alex, you wrote that you updated all your sessions. Did you update the mongodb directly or how? |
|
Hi Claes,
Glad you found it helpful!
I updated the mongodb directly using Studio 3T to update all Session
objects expiresAt dates and set them to a date 3 years in the future.
I never need tokens to expire as we only use anonymous users, so I just
bought myself time to either see a fix for anonymous users, implement user
profiles and proper session management or simply edit the database once
again nearer that date.
Best,
Alex
…On Thu, 4 Oct 2018 at 10:56, Claes Jacobsson ***@***.***> wrote:
This was a very useful thread, thanks!
Alex, you wrote that you updated all your sessions. Did you update the
mongodb directly or how?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#4799 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/Ac41TkOCQmFeo40o9CB9L8BVDA_F_bhkks5uhdtQgaJpZM4UVI4k>
.
|
|
Thanks for your quick response! I have the same situation. I have no real experience with manipulating the prod db directly, but it was pretty straightforward? |
|
Me neither! This is literally the only thing I ever did in Studio 3T.
There's a trial version you can use for non-commercial purposes if you want
to check it out.
I don't remember the specifics, but if you google you should be able to
figure out how to update a single field in all database Session objects
fairly easily. Iirc it was using a simple query to determine which objects
to edit, and defining the updated field - very straightforward and took a
couple of minutes to update a few million session objects.
…On Thu, 4 Oct 2018 at 11:06, Claes Jacobsson ***@***.***> wrote:
Thanks for your quick response!
I have the same situation. I have no real experience with manipulating the
prod db directly, but it was pretty straightforward?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#4799 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/Ac41Tl9kEho6wuUa9qFIFzWrO7cc2hp-ks5uhd2cgaJpZM4UVI4k>
.
|
|
Sound great! Thanks a lot, I really appreciate it :-) |
|
Great conversation. Helped me a lot today! |
|
@AlexGingell Thank you for the incredibly detailed description of your problem! Reading through it helped me realize a bit more about what is going on in my own app, as I'm seeing pretty much the exact same issue. To me, it seems like the appropriate thing for a client to do when its authentication token has expired is to request a new one. You pointed out that anonymous users are a somewhat different case, and that prompting a user to "log in again" when they never logged in in the first place does not seem like appropriate behavior, and I agree. So, it seems like what should happen is the same thing that happened when they first launched your app: a session token was requested and granted freely by the server without the requirement of login credentials. But I suppose there's a bit of a security concern in that behavior though. Consider this scenario:
Does anyone know what the interaction of requesting a session token for an anonymous user looks like? Is there any way that refreshing a token for an anonymous user could work so that only the user that requested the first token receives the new one? |
|
Just as a note: You can also add |
Issue Description
My iOS app uses Parse Server's automatic user feature, namely users do not have to provide login credentials, but instead are logged in automatically and anonymously. These are not users that have been migrated from Parse.com, but automatic users with revocable sessions generated by hosted Parse Server.
Our client-side Parse initialisation looks like this:
On the server, "Expire inactive session" is YES, and "Revoke session on password reset" is YES. Session length is 1 year in seconds. I do not fully understand what constitutes an "inactive" session as far as "Expire inactive session" goes, and exactly what "Expire" constitutes - deletion from the database, or just making the token invalid. It seems to me that the session remains valid simply for "session length" after its inception, regardless of other factors.
Based on that understanding, everything works as expected - the user can communicate with the database - and at the 1 year mark, the session token appears to expire naturally.
With a standard login flow, one would clearly then display a screen allowing the user to login and refresh their token. However, in the case of automatic or anonymous users, that makes no sense - they never entered any login credentials, and so they have no means of refreshing their credentials manually.
Given that automatic user is enabled, I would have expected that Parse Server would automatically generate a new session token for a user with anonymous credentials. Instead, any interaction with the server or database fails with:
Error Domain=Parse Code=209 "Session token is expired." UserInfo={code=209, temporary=0, error=Session token is expired., NSLocalizedDescription=Session token is expired.}I note that in Parse Server's authentication tab "App authentication settings", that "Enable Anonymous Authentication" is actually set to NO. My understanding here is that this would simply let users communicate with Parse server without a valid session token or valid PFUser object. This is not really what we want - we want a valid anonymous PFUser to communicate, as we may later want to transition then to a regular PFUser. I've tried switching it to YES, but we still see the same errors.
I am using Parse Server v2.3.2 with MongoDB v3.0.12, and iOS Parse SDK v1.17.1. I am looking to upgrade to the latest versions, but I want to take the time to understand what the problem is first, and if/how this may solve the problem.
Is this a known bug, solved by a later version or not? Is this a problem with my implementation or understanding? Can anyone help me with a solution?
Deleting the app and reinstalling it fixes the problem, because a new automatic user is generated and a fresh session token is provided. In the database this appears as a completely new user and the old one sits unused forevermore.
I would like to implement a solution that simply grants a new session token for anonymous users with an expired token. It seems as though I must set a finite session length, and I would rather not just set it to 100 years - it does not solve the problem for existing users and feels like a hack.
Thank you for your help.
Kind regards,
Alex
Steps to reproduce
On the client, initialise Parse with:
On the server use:
Anonymous automatic users are created for new users. They work as expected during their valid lifetime. After an automatic PFUser has existed for "Session Length" the session token expires.
Expected Results
Given that the user did not enter any credentials and that automatic user is enabled, I would have expected Parse Server to grant a new valid (revocable) session token automatically.
Actual Outcome
Client-server interactions fail with error code 209: "Session token is expired.", 101, or 206. 101 is clearly related to the invalid Session Token. 206 may or may not be a related issue.
The client is effectively cut adrift from our back-end and cannot synchronise with our database or interact with our server.
They cannot be asked to log in, as they have no credentials with which to log in. Currently it seems they are forced to reinstall the app and become a new anonymous user.
Environment Setup
Server
Database
Logs/Trace
Initialisation
--- Configure Facebook Authentication --
--- Enable Anonymous Authentication --
--- Allow Client Class Creation Disabled ---
--- Expire Inactive Sessions Enabled ---
--- Revoke Session On Password Reset Enabled ---
--- Session length in seconds: 31536000 ---
Example 209
Session token is expired.
Example 206
Error generating response. ParseError
{
"code": 206,
"message": "Cannot modify user k6uCHupaxA."
}
Cannot modify user k6uCHupaxA.
Example 101
Error handling request: ParseError
{
"code": 101,
"message": "invalid session"
}
invalid session
The text was updated successfully, but these errors were encountered: