Unable to save in-progress changes after session expires, despite logging in again in separate tab

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Summary

A user has one or more tabs open with unsaved work in them (e.g. part way through issue or merge request creation). Due to inactivity the user's session expires and when they log back into GitLab using a new tab.

When they go back to their in-progress tabs and click Save they are presented with a 422 error and the backend logs the following:

{
  "method": "POST",
  "path": "/group/project/-/issues",
  "format": "html",
  "controller": "Projects::IssuesController",
  "action": "create",
  "status": 422,

  "exception.class": "ActionController::InvalidAuthenticityToken",
  "exception.message": "Can't verify CSRF token authenticity.",
  "exception.backtrace": [
    "lib/gitlab/metrics/elasticsearch_rack_middleware.rb:16:in `call'",
    "lib/gitlab/middleware/memory_report.rb:13:in `call'",

The changes are unable to be saved and the user must re-enter them.

Steps to reproduce

  1. Configure GitLab with a session expiry of 15 minutes.
  2. Login into GitLab.
  3. Open a new issue form and fill it with information.
  4. Open in a new tab a merge request and fill a thread with information.
  5. Open in a new tab a repository in web IDE and change code in some files.
  6. Wait for session to time out (15 min as configured) by not interacting with tabs.
  7. Open a new page in GitLab.
  8. When prompted, login into GitLab.
  9. Return to new issue tab and try to create it.
  10. Return to merge request tab and try to save thread.
  11. Return to web IDE tab and try to commit changes.

Example Project

What is the current bug behavior?

In-progress changes in other browser tabs cannot be saved after session expires and user re-authenticates.

What is the expected correct behavior?

In-progress changes in other browser tabs should be able to save their changes by using the newly logged-in session.

Relevant logs and/or screenshots

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info 

(For installations with omnibus-gitlab package run and paste the output of: \`sudo gitlab-rake gitlab:env:info\`) (For installations from source run and paste the output of: \`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production\`)

Results of GitLab application Check

Expand for output related to the GitLab application check 

(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:check SANITIZE=true`)

(For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true`)

(we will only investigate if the tests are passing)

Possible fixes

Edited by 🤖 GitLab Bot 🤖