Skip to main content
Announcements
Live today at 11 AM ET. Get your questions about Qlik Connect answered, or just listen in. SIGN UP NOW
cancel
Showing results for 
Search instead for 
Did you mean: 
dselgo_eidex
Partner - Creator III
Partner - Creator III

Session denied because of JTI Replay Attack Error

Hello,

My app connects to Qlik Sense via a virtual proxy that uses JWT to handle user authentication. Normally, I hit the virtual proxy with my JWT containing the user's information and then it returns a session cookie that gets stored with my browser and is used to authenticate all future requests. This works fine usually, but if a user closes out of the browser, the session cookie is deleted and the user has to reconnect via JWT authentication. The issue I have been running into a quite often lately is where my requests for authentication are getting denied by the virtual proxy with the following message being logged:

"Jwt authentication attempt treated as a replay as a non unique jti was presented. Request will not be authenticated."

A quick google search turns up this support article: https://support.qlik.com/articles/000092118. It says that the request is denied when a non-unique JTI is presented within a 5-minute time frame. That is completely understandable, but it also doesn't seem to be the case. I tried connecting with a JWT and was denied a session because of a JTI replay attack error. I then waiting 25 minutes and tried again, but I was STILL denied a session because of a JTI replay attack error.

Is there something that I am missing? There doesn't seem to be a way to keep this error from occurring, or to change the time window. Is there a config file I can go to to disable it?

What is weird is that I have gotten this to work before by waiting 5 minutes, but it doesn't work anymore. Does the JWT get put on a permanent blacklist after a certain number of attempts?

0 Replies