We currently have an issue with Vaadin heartbeat function: it seems that he does not works properly.
As far as we know, Vaadin heartbeat function is working like this:
- Vaadin sends a ping to the backend every 5 minutes when the app is idle (not being worked on and no mouse move or keyboard action)
- this ping has the session cookies on it.
- when this hits the backend service it validates the authentication token
- if its not expired yet, no issues it goes through
- if token is expired (validity is 1h in our setup) it tries to redirect to OIDC (Connection Lost triggered here)
- → this gets blocked on the vaadin frontend app due to security default configs
- → adds a temporary cookie
- → retries the operation
- as it retries more cookies get added until reaching the size limit and triggering 431 HTTP response.
- when this hits the backend service it validates the authentication token
- this ping has the session cookies on it.
Issue description:
It looks like an issue with the JavaScript initiated heartbeat that occurs every 5 min, it seems that it doesn’t have the CORS headers setup properly, if it were from any other Quarkus app, we expect it to work fine (example redirect during login)
At the moment, we only increased the token session to 8 hours in order to avoid this issue.
It will be great is there any solution to solve that issue which is a blocking point for us at the moment.
Our setup:
Java JDK 21
Quarkus 3.11.1
Vaadin 24.3.10
Some screens regarding Vaadin heartbeat issue: