Doubling of login records
-
@sergey_smirnov can you tell us a little about how you have FusionAuth set up? Can you look at your server logs and make sure the page is not being called multiple times? Also, can you share the details of the log entries (be sure to redact private information)?
-
@sergey_smirnov, I see you submitted the FusionAuth log. I didn't approve the post because I thought there might be some info in there you don't want public. I cut some out and will paste it here:
That is interesting. Would it be possible to get the web server logs and see if there were actual multiple requests.
-
We're trying to get those logs from our admins.
-
Where can we find such logs on FA server ?
-
@sergey_smirnov You won't find the web requests in the FA dashboard, but you can enable debugging for Oauth in the application and see if that gives you more details in the System -> Even Log.
-
We have the following records in event log for doubled logins at the same minute:
OAuth2 exchange authorization code debug log for [******] with clientId [XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXX055].
6/25/2025 07:17:54 PM Z Validate the provided authorization code [VqER3sOWcAn2RuONY0BPHK-_TAt3hb1y92fwwj8mDNY].
6/25/2025 07:17:54 PM Z Validate PKCE code_challenge [crUqHYRAXwg-yyUFsei4-I9rmZ1SQiz0sC76ARgPtYA] provided during the authorization request with the provided code_verifier [pDyk_bw-BKUPyCfpTcVn694YoutV9_2gH0yIP09710g]. Calculated code_challenge [crUqHYRAXwg-yyUFsei4-I9rmZ1SQiz0sC76ARgPtYA].
6/25/2025 07:17:54 PM Z Scopes requested [openid profile email]
6/25/2025 07:17:54 PM Z Ensure the provided request parameters match those provided the authorization request.
6/25/2025 07:17:54 PM Z User is registered for application with Id [XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXX055] the [roles] and [applicationId] claims will be added.
6/25/2025 07:17:54 PM Z The authorization code has been successfully exchanged for an access token.OAuth2 exchange authorization code debug log for [******] with clientId [XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXX055].
6/25/2025 07:17:44 PM Z Validate the provided authorization code [BjWl6NxsoTZG_wqCOaBegQzWbDI8WBnid4sPQDk9eCM].
6/25/2025 07:17:44 PM Z Validate PKCE code_challenge [h-n3xKiN9XmcWtJOBbALv6S4Rf9w-LSeuFgoxJIT8bU] provided during the authorization request with the provided code_verifier [ptFznenHB4Mq4fhsRi-h77GPA1XCkWgl2XpPAPYJaK0]. Calculated code_challenge [h-n3xKiN9XmcWtJOBbALv6S4Rf9w-LSeuFgoxJIT8bU].
6/25/2025 07:17:44 PM Z Scopes requested [openid profile email]
6/25/2025 07:17:44 PM Z Ensure the provided request parameters match those provided the authorization request.
6/25/2025 07:17:44 PM Z User is registered for application with Id [XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXX055] the [roles] and [applicationId] claims will be added.
6/25/2025 07:17:44 PM Z The authorization code has been successfully exchanged for an access token. -
Also we have 3 login records and only 2 corresponding entries (for the same minute) in event logs:
-
The interval between authorization attempts in event logs (at least 10 sec between them) points to the human attempts and we see the login doubling often happens on the next day so we suspect the following scenario: user leaves the application page not closing it and is logged out due to inactivity, which means he is redirected to FA login page and uses it next day. We think the FA login page after some period of time "expires" (some login id in cookies or something like that) and further OAuth negotiation on application side fails, user is redirected back to the fresh FA login page, enters credential again and login succeeds.
How can we increase or disable that FA login page expiration?
-
@sergey_smirnov Hmm, the 10 sec between the logs does lead me to similar speculation that it is being caused by the user. I would think they would be closer together if it was something the application was doing on its own (although I am not entirely ready to rule that out either).
That being said, it seems like just guessing unless you can get the application logs and trace the users page views for sure. Is that possible?
There is a setting in the Tenants for the Session timeout.
Tenants -> Edit -> OAuth tab -> Session timeout
Let me know if you are able to log the users page views.
-
@mark-robustelli
Yes, we have access to HTTP requests to our application but not to FA server.
We already tried to adjust all timeouts options in admin panel (for OAuth and JWT) and it doesn't affect the "expiration" of FA Login form. I mean the login form we see after logout with message "You have been logged out of ..." on top of it. If you enter credentials there on the next day (the same day works fine) it may fail to login from the first attempt. -
@mark-robustelli
Sometimes user sees this:
