Hey all,
I’m developing a Vaadin 14 application with push enabled that is secured with spring security. My application setup is based on the [vaadin with spring tutorial]
(https://vaadin.com/learn/tutorials/securing-your-app-with-spring-security). But the login page is a thymeleaf template served by spring and has a remember me option.
Both the login and logout routine are the standard spring routines.
This setup works as expected for most part. The required pages are secured and login in gives the necessary access. The problem lies when logging out when the remember-me option is used and multiple tabs of the application are open.
When the user logs out from one of the tabs, the application will call UI.getCurrent().getPage().setLocation(SecurityConfiguration.LOGOUT_URL);. This will redirect to the logout url as defined is spring security.
With only one tab open. This works as expected. With multiple tabs open it starts going wrong.
I can see from logging that spring starts invalidating the session by removing the remember me cookie, followed by cleaning up the security context and invalidating the session.
However, also from logging I can see that during this process, requests from vaadin start logging in again through the cookie before the logout process is finished and thus the cookie is cleaned through the http response.
Does any of you have encountered this same situation? Or got this setup working nicely? Or just has some pointers to put me on my way?
Kind regards
Thomas