dense vine
Hi, I have a very strange bug where I log in with one user , click around, log out of that user, login with another user click around and on the settings page im literally another user. i can press the back and forward buttons on chrome and see the 2 users emails addresses in settings.
I did some testing in Tinker and when the bug happens, it seem like im getting logged out and logged in with another user.
Have you ever encountered this?
React, Inertia, Hope you can help, thanks
raven lion
Are you actually logged in, or moving through history? Because history state, by default, is as history was at that point in time.
If it's auth, you might be doing something incorrectly, like not rotating the session
dense vine
im actually logged in, im just using the default auth starter kit, thats why its so strange.
raven lion
Like a hard refresh would show you logged in as another user?
dense vine
nope, not a hard refresh, i logon with one user click around, its all good, log out login with another user click aorund, and it literally shows me logged in as the other user.
raven lion
So you're not signed in as someone else, but it looks like you're signed in as the previous user?
muted veldt
Got any custom auth logic in your app?
muted veldt
I assume you've verified that you're actually logged out before logging in with a different user?
Also check the network tab to see if the browser uses a cached response after logging in with a different user.
raven lion
Yeah, that was what I was aiming at, as Inertia's history is purely history, as it shows how it was at that point in time. There is history encryption; https://inertiajs.com/history-encryption, which you'd reset once the user logs out.
Then there's also prefetching (which is quite broken right now imho). If a page is prefetched, then it would show that content. So if a page was prefetched, then quickly log out and log back in, there's a high chance it would show the "old" state
And thb, using a starter kit doesn't mean it would account for those issues. I've seen quite a lot that was wrong with the starter kits 😅
dense vine
Yeah, that was what I was aiming at, as Inertia's history is purely history, as ...
I just did some more tests, I lgged in with user A and hovered over settings, it prefetches, i logged out and logged in with user b , if i hover over settings it does not do a new prefetch. Thanks for pointing me in the right direction, it seems the prefetch is the culprit as if I click around but hold shift when i click the bug is gone, going to remove prefetch to make sure...... maybe the laravel team need to be informed about this?
raven lion
Since they have issues disabled on those repos, you could make a PR that fixes the issue. But I'd assume history encryption might also fix the issue
dense vine
<Link className="block w-full" href={route('profile.edit')} as="button" onClick={cleanup}>
<Settings className="mr-2" />
Settings222
</Link>
I removed the prefetch, same issue fml!
it seems it happens for a little while then acts normally. This is so weird
raven lion
Did you try enabling history encryption and then clearing it when a user logs out?
dense vine
yeah i was just typing to say im going to try this https://inertiajs.com/history-encryption, will let you know the outcome, thx
dense vine
<?php
return [
/*
|--------------------------------------------------------------------------
| Server Side Rendering
|--------------------------------------------------------------------------
|
| These options configures if and how Inertia uses Server Side Rendering
| to pre-render each initial request made to your application's pages
| so that server rendered HTML is delivered for the user's browser.
|
| See: https://inertiajs.com/server-side-rendering
|
*/
'ssr' => [
'enabled' => true,
'url' => 'http://127.0.0.1:13714',
// 'bundle' => base_path('bootstrap/ssr/ssr.mjs'),
],
'history' => [
'encrypt' => true,
],
/*
|--------------------------------------------------------------------------
| Testing
|--------------------------------------------------------------------------
|
| The values described here are used to locate Inertia components on the
| filesystem. For instance, when using `assertInertia`, the assertion
| attempts to locate the component as a file relative to the paths.
|
*/
'testing' => [
'ensure_pages_exist' => true,
'page_paths' => [
resource_path('js/pages'),
],
'page_extensions' => [
'js',
'jsx',
'svelte',
'ts',
'tsx',
'vue',
],
],
];
/**
* Destroy an authenticated session.
*/
public function destroy(Request $request): RedirectResponse
{
Auth::guard('web')->logout();
$request->session()->invalidate();
$request->session()->regenerateToken();
// Clear encrypted history before redirecting
inertia()->clearHistory();
return redirect('/');
}
Hi is this the right way of adding the history? It's still got the bug
raven lion
Yeah, that should be alright
dense vine
yeah same issue. makes no sense
literally press settings and i can see the old users email and info
raven lion
What you could try is updating the npm dependencies. Don't know what version is installed, but I know there have been a few fixes
dense vine
updated packages, same issue... i really dont get it at all, even opened in safari same issue, clicking settings, then i clicked password, and it switches so i can see info on the previous logged in user