How to combine a persistent login cookie with parallel AJAX requests?

Question

I've implemented the Improved Persistent Login Cookie Best Practice for a "remember me" option.

This works fine when requests are in sequence (traditional page loading). In this case you are sure that the next request will have the same series identifier and the token that was last sent by the server.

But in the case of AJAX requests, where multiple requests are coming in parallel from the same browser, the first request will result in the generation of a new token number. But the other requests will not have this newly generated token number and they'll we denied access considering it as a theft.

How do we get around this problem?

Answer 1

Based on the proposed solution on the aforementioned Drupal thread (https://www.drupal.org/node/327263#comment-3428038), I'm wondering if we cannot have a simpler algorithm.

Instead of storing "old" replaced tokens in a short lived caching table, why not use the current users session?

1. User logs in with PL cookie
If series & token are in PL table:
  2. User session is populated with the last valid token
  3. new token is given to client
  4. user is logged in
If series key is in PL table, but token is not:
  2. check if current user session still holds the latest replaced token
  If found:
    3. user is logged in.  No new token is provided since one was generated in the first request.
  If not found:
    3. Assume keys are stolen - series is destroyed

This algorithm won't work in load balanced scenarios though, when the session state is not properly replicated to all nodes though!