Doubling of login records
-
@mark-robustelli
Sometimes user sees this:
-
@sergey_smirnov OK, I did some investigating and here is what I have found.
- SSO, I saw a reference to a post that mentions using SSO will create multiple session records (but shouldn't necessarily cause multiple login events). Are you using SSO?
-
Are you using any Lambda's? In some versions (notably 1.31.0), a bug caused the OIDC reconcile lambda to be called twice during certain identity provider logins, which could result in duplicate processing and potentially duplicate events. This was patched in version 1.32.1.
-
Are you using any Webhooks?
-
Are you using an external IdP?
These are just a couple of things to consider.
-
- No
- No, the FA version is 1.55.1
- Yes, we use webhooks to sync user info (like email change) between FA and our application
- No, for our application FA is the only IdP, however we use migration mechanism to add new users to the FA DB from application
-
@sergey_smirnov OK. It doesn't seem like the webhook you are using would cause the duplicate logins. I came across this post stating that exchanging a refresh token counts as a login event. I'm wondering if something like the user logins in using a new tab, then goes back to the old tab that triggers a refresh. If that is the case, that could account for the delay between logins and the "Something doesn't seem right" message as that session is no longer valid because of the new login. You might be able to verify this by using a webhook. There is a JWT.Refresh event that you might be able to log somewhere to see if it fires around the time of the duplicate log ins.
-
@mark-robustelli
No events. Also JWT duration is set to default 3600 (1 hour) for our application/tenant and as I see the option affects the timeout inside the corresponding claim only. As we don't use JWT we ignore it. Additional info; JWT Refresh Duration = 43200, OAuth session timeout = 3600.We see a lot of fusionauth cookies and hidden form fields which are updated during authentication process. How can we reset the login page (smth similar to incognito mode)? Maybe some parameters on logout?
-
@sergey_smirnov If you are not using the JWT, can you disable it in the AdminUI?
-
@mark-robustelli
It is disabled on application level but I don't see any such option for tenant.
How to disable it for tenant ? -
@sergey_smirnov I was referring to the application level. Try to disable it there and see if you are still getting the double login.
-
@mark-robustelli
It was already disabled on application level. -
@sergey_smirnov hmmm..Ok can we verify this is 100% not user action? Can you add some logging to your application so we can see what a user is clicking or starting a new session? Then we can compare with the logs in FusionAuth.
