Session vs JWT expiry discrepancy

[pboling]

For rodauth.logged_in? I get true, but for rodauth.valid_jwt? I get false.

I'm not sure exactly how I got into this situation, but since I have it I am trying to understand it.

If anyone has any thoughts, I'd appreciate them!

[janko]

Could you post more details on what have you found out so far? This situation seems possible to me; a JSON request comes in, but the JWT token is missing, and an account somehow gets logged in during the request (before the new JWT token is returned in the response). The rodauth.session method initializes an empty hash when the JWT token is missing (though it returns an error if the token is present but invalid), so it's still possible to log the account in though methods like rodauth.login_session.

[pboling]

I wrote a bunch of stuff here, but on further consideration it made no sense.

Bottom line, I hadn't considered the differences in expiry timeouts, and after a day I was "still logged in", via web-session, which had expired, and was feiling to be renewed. The issue had nothing to do with JWT.

[pboling]

I was never logged in with a JWT, and my web session was just failing to renew due to the before_filter problem (attempting to use the session before it had been renewed).