Problem/Motivation

I'm using the TFA module on a D10 site hosted on Pantheon. Some users intermittently get a 403 "Invalid session" error after entering their credentials and being redirected to the TFA verification page.

The issue seems related to the private tempstore’s ownership key (core.tempstore.private.owner) being lost or not matching, likely due to Pantheon’s multi-container infrastructure and session handling. Even after enabling Redis-backed session storage and overriding tempStoreUid() to force session start and write-close, the problem persists.

Has anyone had the same issue?

Comments

g_miric created an issue.

cmlara’s picture

cmlara
he/him
commented

It has been over 6 years since I have had a production site in Pantheon so I can't say that I remember their architecture layout.

Quick glancing:
This error should only be present if:

  • For some reason the UID is not an an integer like string (should never happen).
  • If the session is missing data(such as attempting to visit the entry form again after success, without auditing every line of code, maybe a login plugin granting access and another module redirecting back to the entry form).
  • PrivateTempStore not returning data (If the session somehow became authenticated mid request, or if the session was not synced between backends this could occur). I would expect Redis to solve the not-syncing issue.
g_miric’s picture

g_miric commented

I know that the issue is related to PrivateTempStore, but Redis didn't fix it. It is possible that it is related to race conditions, but I still need to check that.