Some users are seeing the creation of a large number of REST sessions and unnecessary prompts for local logins, such as browser basic authentication challenge. This issue is related to Chat, VTB, Presence, and other message-based features. If using SSO, this issue can cause unwanted behavior.
- Local login from browser requesting user to re-login
- Excessive volume of Basic authentication failed for user: log messages (this is specifically after upgrade to Helsinki)
- Locking out users due to invalidated credentials sent repeatedly to instance
- Log messages similar to User <user_name> locked out due to too many invalid login attempts
Steps to Reproduce
- Open a non-production instance.
- In the Application Navigator, type sys_properties.list in the Filter navigator field and press enter or return on your keyboard.
- Search for the property named glide.ui.session_timeout.
- Set the property to 1 to sessions time out after 1 minute of inactivity.
- Set the glide.security.use_csrf_token property to false.
- Using Firefox, log in to the instance again in a new browser session.
The issue can occur in any browser, but is more reliably reproduced in Firefox.
- Open the Firefox developer console,.
- Display the Network log.
- Wait for the session to timeout.
- Change networks by, for example, connecting or disconnecting VPN, or changing wifi network.
After a few seconds (up to a few minutes), the browser's generic basic authentication login window is displayed.
In the Firefox dev console, note that the last presence request (with 401 response code) did not include the X-UserToken header and that the response header WWW-Authenticate is set to Basic instead of None.
To provide relief, re-enable the CSRF property:
- Navigate to /sys_properties_list.do > Set glide.security.use_csrf_token = 'true'
Note: If this property does not exist, consider activating the High Security Plugin, which creates and enables the CSRF property. Alternatively, the property can be set to true directly without enabling the High Security Plugin.
Upgrade to Helsinki Patch 8 for the fix, which allows you to have the glide.security.use_csrf_token disabled, but prevents the popup window from asking the user to login.
Related Problem: PRB689641