Premature session expiry issues

[mjmasn]

Just posting this in case anyone else has had similar issues / there is a known cause. Not convinced it's anything to do with the mobile SDK but was asked by Salesforce Support to ask here. We have also escalated with support separately.

Since the end of May, we have been experiencing increasing issues with the authentication/session token management in our application. Our customers are frequently being logged out and prompted to re-authenticate with Salesforce.

• At the time, we hadn't released any product changes since February 2024
• We checked for any implementation changes with our customers (obviously some changes have occured but affected customers are unrelated and exhibit similar authentication issues)
• We have attempted to adjust authentication settings in the Salesforce configuration for various customers. While some measures temporarily alleviate the issue, they do not fully resolve or provide a long-term solution.

These issues are occuring even in customers that have set 24 hr session expiry, before 24 hours are up.

Given the sudden onset and nature of the issues, it feels like a server side change made as part of the Summer 24 release is the likely cause.

[mjmasn]

Wonder if this change (https://help.salesforce.com/s/articleView?id=release-notes.rn_security_refresh_token_requests.htm&release=250&type=5) could be impacting the SDK, we're using v10.2.0 (we have already upgraded to v12 for our next release later in the year)

Will do some digging of my own but I'm interested if it's possible for the SDK to request multiple token refreshes simultaneously

[brandonpage]

Hi @mjmasn, I appreciate the post here to draw attention to this and hopefully prevent duplicate issues from being filed.

I don't think the Mobile SDK alone could be making multiple refresh token calls simultaneously because we use a lock to prevent this. If you can find a scenario that disproves this we would be happy to fix it.

I am sure we will be involved to assist with the server side investigation so I will update this thread here with the resolution.

[mjmasn]

Thanks @brandonpage

I did some testing yesterday on Android and the lock was working as expected for me, so I think we can rule that possibility out. Even with 4 simultaneous 401s, only one token refresh request occurred and the app then continued as normal.

The only other piece of information I have is that some users appear to have 4 or more tokens for the app in SFDC admin after experiencing this issue (even after recently revoking all tokens). So I'm wondering is there some kind of issue causing them to hit the 5 logins per user per connected app limit and therefore older (but maybe still in use) tokens are being expired. As far as I know they are only using 1 device each though so we'll need to work out how they're triggering this.

Will update if/when I have more details.