nic-6443 commented on issue #9306: URL: https://github.com/apache/apisix/issues/9306#issuecomment-4676898528
Went through this against current master and I believe every mechanism that could have produced these random re-auth redirects is gone in recent releases, so this can probably be closed. The report is based on the lua-resty-session 3.x stack configured through `set $session_*` nginx variables; since 3.15.0 APISIX uses lua-resty-session 4.1.5 (#12862) and all session settings, including redis storage (#12986), are passed via the plugin's `session` config instead — the nginx variables aren't read anymore. Both plausible root causes are addressed now: workers not sharing one session secret (what james-mchugh hit; `session.secret` is mandatory since 3.14.0 when `bearer_only` is false, #12609), and the 3.x `regenerate` strategy destroying the old session on renewal so concurrent in-flight requests got bounced to the IdP — session 4.x keeps the old record usable for `stale_ttl` (10s by default) exactly to avoid that race. The patch from #10737 (passing the whole conf as the 4th argument) was never merged, and master now passes a guaranteed non-nil session opts table built from `conf.session`, so the nil-session path it worked around no longer exists. If anyone still sees random redirects on >= 3.15.0 with an explicit `session.secret`, please open a fresh issue with that environment. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
