New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Heartbeat should respond 404, not 410, when session expired #4417
Comments
Originally by @Artur- Or maybe 403 (forbidden) instead. 404 is easily confused with a server configuration problem. |
Originally by sre I would also recommend to change 410 to 403. We have a lot of problems with the PublishedFileHandler, because the browser (at least Chrome) caches 410 responses. Now, if you have some parts of your widgetset rely on jquery or other javascript libraries, sometimes the cached 410 is returned even after a new session has been created, which lets some of your widgets just disappear. The same happens sometimes for a login iframe connector resource. Another problem (which I suppose cannot be solved with websockets): There are also cases that http 404 is returned for the /PUBLISHED files:
|
Hello there! It looks like this issue hasn't progressed lately. There are so many issues that we just can't deal them all within a reasonable timeframe. There are a couple of things you could help to get things rolling on this issue (this is an automated message, so expect that some of these are already in use):
Thanks again for your contributions! Even though we haven't been able to get this issue fixed, we hope you to report your findings and enhancement ideas in the future too! |
This cached headers following a 410 on /APP/PUBLISHED/* is a real problem for loading js: there's no error (session exists) but scripts are not loaded because of 410 being cached. This still exists in 8.5.2. |
I agree with changing that to 403, maybe with an error message of "no session" or such. Anything else than 410 GONE PERMANENTLY (since that's clearly not the case). The workaround is to move |
403 would be semantically wrong as well since no authorisation takes place. 404 is the right code. As per RFC: I think more relevant would be to add |
This actually caused random session expired messages in our Vaadin 7 apps with Safari (macOS). One way to reproduce: start a Vaadin 7 app, wait until the session expires, then reload the page, log in, and wait for the next heartbeat. It will be the cached 410, resulting in a session expiry shown in the client, while the backend still has the session. (Also, as commented in #11556, I think the current fix for this isn't perfect since it removes the session expiry message when it would correctly appear as well.) |
Originally by @jdahlstrom
HeartbeatHandler
currently sends 410 Gone if the session is expired. This is arguably semantically wrong, as a user agent is within its rights to assume that the resource uniquely identified by the URI (and only the URI - cookies don't matter) will never be available again and any future requests to the same URI should not be made. A 404 Not Found should be returned instead.Imported from https://dev.vaadin.com/ issue #12526
The text was updated successfully, but these errors were encountered: