old cookie generates a flood of exceptions

It's not project-specific, as far as I can tell, so you should be able to reproduce it with any demo project, on the server side.

The thing is that Sphinx sets a cookie and it's mighty persistent, must be using browser storage, because it survives machine reboots. This cookie is in HS256 JWT format. And if you start a new session and Sphinx can see that old cookie, and there are dozens of to and from until it gets anywhere, so that keeps happening for a while, it raises an exception:

First chance exception at $00007FFB57E12E0C. Exception class EJOSEException with message 'JWS signature is invalid: 0zSUj5pL_PYj4uWNMWfzp9SlzlKQkvVvms3fgMU1oPY'. Process XXXXX_Interactive.exe (7792)

Which is rather annoying when you are trying to debug something else.

This is where it does the check that fails:
image

And yes, it would be invalid. So it should probably clear that cookie as soon as it can spot it. Or never save it, because as far as I can tell, Sphinx does not offer lax auto-signon on an old cookie anyway and prompts the user every time anyway, so why is it setting it? And why does it make it so persistent?

Because this will be supported soon, so users won't have to be prompted to login again.

How to reproduce it with current demo?
Problem is I haven't seen it happening yet, so while it might be simple to reproduce it, I don't know how. Do you?

Strange, for me, it happens practically on every run. Try this: in the demo server, enable a user for 2FA and set the key (may not be needed, but that's what I have), run it, start client, login, close browser. Open client again, login - it does not go to server, somehow it's using cookies, which I still need to figure out, logout, login again - you should see exceptions. It does it like 15 times per run.

I see it here when I close the server and reopen it. The reason is Sphinx saves cookies using a JWT signed with an internal secret which is reset every time the server launches. That's why it says the JWT signature (of the cookie) is invalid.

But:

  1. This only happen if you restart the server. Thus, it's even "more harmless" (sorry about the lack of better English wording) because in production environment it's rare to restart the server.
  2. Nevertheless, the "error" is harmless, it's ignored by Sphinx and won't be raised by the application. You only see it when debugging the app.

But in any case, if you still want to avoid the error and keep the cookies valid between server restarts, you can force Sphinx to use a fixed JWT secret for the cookies:

uses {...}, Sphinx.LoginManager.Impl;

...
  TAuthCookieManager.CookieJwtSecret := 
    TEncoding.UTF8.GetBytes(
       'Put here a secret for your authentication cookies in login app');