In order to make the user login experience more friendly, we have made an optimization of automatic login.
When a user successfully logs in, the token is stored in a cookie. When the user comes to the website next time, read the token in the cookie, automatic login. When you log out, the token is cleared.
It looks simple and user-friendly
However, a vulnerability was found today. The validity period of my local cookie is 30 days. What will happen if the validity period of my backend token is different from the validity period I saved? When a user automatically logs in, the response interceptor finds that the token has expired and kicks the user to the login page. Then the login page finds that the token is stored in the cookie and automatically logs in again. After entering the system, the response interceptor found the token expired and kicked the user to the login page…
An infinite loop occurs
The solution is simply to clear the tokens in response to interceptor 401 so that there is no problem with expired tokens locally.
This pit is very simple to solve, in fact, how to find the problem is the key. You still have to be careful.