in my prod enviroment i see some times a day the warning Invalid security key received from xxx.someIp.xxx:62267
I cant figure out how to reproduce it. I guess it has something to do with the session timeout but cant imagine what the reason could be.
I have a session timeout of 12 minutes, the default heartbeat is 5 min which should extend the lifetime of the session. So an expired session should not be the problem. The only thing i could imagine is, that some one has a tab of my app open and the browser turns it into sleep, so it cant send the heartbeat which ends up in a removed session because no heartbeat has been received.
If the user then opens the tab : Tadaa session has been removed and the tab reloads, but sends a wrong key?
Does anyone has an idea were i could start searching for a reason or should i just ignore this warning?
If the server-side session has expired and a new one started due to activity in one tab, then the other tab will still remember the security key (i.e. the CSRF token) related to the old session. If the UI id used by that tab also exists in the new session, then there will be a mismatch leading to exactly the error message that you describe.
Uff okay, so the only thing i can do is ignoring it i think? What happens on user side? I think it will refresh the UI and create a new session/bound it to the correct one of this browser?
I’ve seen this normally when the application gets rebooted and a user has the application still open inside their browser. Nothing to worry about (in general)