Skip to content

Improve session security feedback with replay attack and revocation messages #829

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
tjementum merged 7 commits into from
Jan 13, 2026
Merged

Improve session security feedback with replay attack and revocation messages #829

tjementum merged 7 commits into from
Jan 13, 2026

Conversation

@tjementum
Copy link
Member

@tjementum tjementum commented Jan 13, 2026

Summary & Motivation

Previously, users were silently redirected to the login page whenever their session ended, with no explanation of what happened. Now users see a dedicated error page with a clear message explaining why they were logged out:

  • Security alert: When a replay attack is detected (someone attempted to reuse an old token)
  • Session ended: When a user's session was revoked from another device
  • Session expired: When the session could not be found or has expired

This improves user experience by providing context and reassurance, especially in security-sensitive situations like replay attack detection.

Supporting changes:

  • Add x-unauthorized-reason header to 401 responses so frontend can determine the logout reason
  • Add user.session_id to Application Insights and OpenTelemetry for session-based troubleshooting
  • Fix replay attack detection race condition where concurrent refresh requests could fail due to EF Core change tracking conflicts - now uses atomic ExecuteUpdateAsync that succeeds for one request and is a no-op for others
  • Disable the Revoke button while a session is being revoked to prevent double-click issues
  • Honor skipQueryInvalidation flag in TanStack Query's MutationCache to prevent sessions modal from refetching when closed

Checklist

  • I have added tests, or done manual regression tests
  • I have updated the documentation, if necessary

@tjementum tjementum self-assigned this Jan 13, 2026
@tjementum tjementum added the Enhancement New feature or request label Jan 13, 2026
@linear
Copy link

linear bot commented Jan 13, 2026

PP-355 Show context-specific error pages when session is revoked

@tjementum tjementum moved this to 🏗 In Progress in Kanban board Jan 13, 2026
@tjementum tjementum force-pushed the pp-355-show-context-specific-error-pages-when-session-is-revoked branch from 3473d41 to bfb77c5 Compare January 13, 2026 16:26
@sonarqubecloud
Copy link

sonarqubecloud bot commented Jan 13, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
3 Accepted issues

Measures
0 Security Hotspots
22.4% Coverage on New Code
0.7% Duplication on New Code

See analysis details on SonarQube Cloud

@tjementum tjementum merged commit b4eb972 into main Jan 13, 2026
26 checks passed
@tjementum tjementum deleted the pp-355-show-context-specific-error-pages-when-session-is-revoked branch January 13, 2026 16:32
@github-project-automation github-project-automation bot moved this from 🏗 In Progress to ✅ Done in Kanban board Jan 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@tjementum tjementum

Labels

Enhancement New feature or request

Projects

Kanban board
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tjementum