Invalid Security Key?

Hi all,

in my webapp I use the refresher addon to periodicaly update a site. This works like a charme, but after a while (2 hours) I get “Invalid Security Key” error.
The webapps session timeout is set to 4 hours, so this should not be the problem.

I wonder why this error just occurs after a while??
Does anybody has an idea what could be the problem? Or what I could do to find out what the problem ist?

The widgetset is compiled to the the vaadin version I’m using (6.6.6).

Thanks for any help!

The security key is used for CSRF protection. Session timeout should cause a session timeout notification box, but I guess it could also result in a security key notification if the server-side application is reinitialized. (Server log should get a “Invalid security key received” message.) Please also check that there isn’t any application error, because an application crash would cause the application to reinitialize. For example, there could be a database timeout or something.

Check that the session timeout is set correctly. You should be able to check the timeout with:

System.out.println("Session timeout: " +
        ((WebApplicationContext)getContext()).getHttpSession().getMaxInactiveInterval() +
        " seconds");

Are you running the application as a portlet by any chance?

Which reminds me, the 6.6.6 version you mentioned has a CSRF vulnerability. Please upgrade.

Thanks for your answer.
I upgraded to 6.7.0, but the behavor is still the same. :frowning:
The session timout is as I defined in web.xml.

any other suggestions?

Some new information:
I enabled the spring security log (set to DEBUG) and found that after 2 hours the following is in the log file:

| DEBUG | HttpSessionSecurityContextRepository | | No HttpSession currently exists

So it seems like the session is lost for some reason.
Does anybody know why the session could be lost? Maybe a kind of “clear session cachee” in the servlet container (jetty)? Or something in the apache?
For now I think the vaadin application works correctly, so the error reson must be in one of the other systems.

Thanks for any help!

It would be good if you could test it with a minimal Hello World app + Refresher. If the problem occurs there, then it could be some Vaadin session handling issue. If not, it would in any case be good to know what causes such issue.

I hope Spring Security or some other thing that you use doesn’t cause timeouts.

Figuered out the problem:
Our nevis proxy is killing the ssl connection after a certain time. For that reason the session is considered as invalid / invalidated, so a new session has to be created, which causes the error messages.

Thanks for help, can be closed now.

This really a strange issue, we are getting Communication Error error ramdomly, sometimes it happens because of inactivity for few minutes and sometimes it just happens on clicking a Save button.

When we get the Communication Error, in the logs it gives the below warning:

There is nothing more then this warning which can explain what is causing the error, doe any one know how to reproduce this issue, and what can be done to fix it.

This is a critical issue, pls respond quickly.


I also encountered the same issue when I use

I saw similar issue with https enabled in peculiar networking topologies (like rinetd between virtual machines through firewalls, reverse proxies, and smoke signals).

If you are using SSL/TLS (i.e. https) get something like httpwatch that can deal with SSL and show you exactly what is going on.

In my case, it clearly showed that using a ProgressIndicator with a very agressive setting of 500ms was stressing out what was a very bad network setup (httpwatch reported broken SSL frames occurring randomly during progress indicator episodes).