parse-server: invalid session token code=209, message=invalid session token on v2.3.7

Issue Description

I have started getting the error invalid session token code=209, message=invalid session token after upgrading to 2.3.7 earlier today. Looking at now closed bug #2255 and at the source code the root cause seems to be that there are two session ids present for the same user and same installation id created and updated around the same time.

Not all API calls generate this error and not all users are affected.

Steps to reproduce

Not sure, I’m continuously updating parse-server every few weeks to keep with the latest releases, the message started popping up after upgrading to 2.3.7.

Logs/Trace

This is one of the requests that generates the error message:

d61952fe52b4[1182]: #033[36mverbose#033[39m: REQUEST for [PUT] /xxx/classes/_User/HngzyE3Clx: {
d61952fe52b4[1182]:   "runCount": {
d61952fe52b4[1182]:     "__op": "Increment",
d61952fe52b4[1182]:     "amount": 1
d61952fe52b4[1182]:   },
d61952fe52b4[1182]:   "lastContact": {
d61952fe52b4[1182]:     "iso": "2017-03-21T12:01:55.180Z",
d61952fe52b4[1182]:     "__type": "Date"
d61952fe52b4[1182]:   }
d61952fe52b4[1182]: } method=PUT, url=/xxx/classes/_User/HngzyE3Clx, host=xxx, connection=close, content-length=109, x-parse-app-display-version=4.0.2, x-parse-application-id=unused, accept=*/*, x-parse-os-version=9.3.5 (13G36), accept-language=en-us, x-parse-client-key=unused, user-agent=XXX/348 CFNetwork/758.5.3 Darwin/15.6.0, x-parse-app-build-version=348, content-type=application/json; charset=utf-8, x-parse-session-token=r:97ee17db8bc95ad6b657abb84aec39cb, x-parse-client-version=i1.14.2, x-parse-installation-id=bcf5b055-3b1c-4dc2-a405-5e04a5a1c3ad, accept-encoding=gzip, deflate, __op=Increment, amount=1, iso=2017-03-21T12:01:55.180Z, __type=Date
d61952fe52b4[1182]: #033[36mverbose#033[39m: RESPONSE from [PUT] /xxx/classes/_User/HngzyE3Clx: {
d61952fe52b4[1182]:   "response": {
d61952fe52b4[1182]:     "runCount": 76,
d61952fe52b4[1182]:     "updatedAt": "2017-03-21T12:01:55.668Z"
d61952fe52b4[1182]:   }
d61952fe52b4[1182]: } runCount=76, updatedAt=2017-03-21T12:01:55.668Z
d61952fe52b4[1182]: #033[31merror#033[39m: invalid session token code=209, message=invalid session token

This is the query for all sessions for that user

rs0:PRIMARY> db.getCollection('_Session').find({"_p_user":"_User$HngzyE3Clx"})
{ "_id" : "4sQEyDhudw", "_session_token" : "r:e7500d9da1f7ea868e0e21c14b9cd83e", "_p_user" : "_User$HngzyE3Clx", "createdWith" : { "action" : "login", "authProvider" : "password" }, "restricted" : false, "expiresAt" : ISODate("2018-01-03T09:29:19.181Z"), "installationId" : "2b907a0c-26eb-4f19-bd6b-8dd7a734ec0c", "_created_at" : ISODate("2017-01-03T09:29:19.182Z"), "_updated_at" : ISODate("2017-01-03T09:29:19.182Z") }
{ "_id" : "Hn4AKvsUHi", "_session_token" : "r:e5e605f07e51c57de3e4601d3245aa34", "_p_user" : "_User$HngzyE3Clx", "createdWith" : { "action" : "login", "authProvider" : "password" }, "restricted" : false, "expiresAt" : ISODate("2018-01-03T09:29:19.201Z"), "installationId" : "2b907a0c-26eb-4f19-bd6b-8dd7a734ec0c", "_created_at" : ISODate("2017-01-03T09:29:19.202Z"), "_updated_at" : ISODate("2017-01-03T09:29:19.202Z") }
{ "_id" : "NwZxUuYmZt", "_session_token" : "r:3f9876c47dd44257afafed29c9203fd9", "_p_user" : "_User$HngzyE3Clx", "createdWith" : { "action" : "login", "authProvider" : "password" }, "restricted" : false, "expiresAt" : ISODate("2018-01-04T10:35:34.458Z"), "installationId" : "710680df-6519-42be-a675-d0dab62cdee5", "_created_at" : ISODate("2017-01-04T10:35:34.458Z"), "_updated_at" : ISODate("2017-01-04T10:35:34.458Z") }
{ "_id" : "SbwP8G7jDQ", "_session_token" : "r:f8b307985b8c4ebed1330202aa30594a", "_p_user" : "_User$HngzyE3Clx", "createdWith" : { "action" : "login", "authProvider" : "password" }, "restricted" : false, "expiresAt" : ISODate("2018-01-04T10:35:34.453Z"), "installationId" : "710680df-6519-42be-a675-d0dab62cdee5", "_created_at" : ISODate("2017-01-04T10:35:34.453Z"), "_updated_at" : ISODate("2017-01-04T10:35:34.453Z") }
{ "_id" : "BVMouretHK", "_session_token" : "r:25d3e52c371386b56e96d0f9b839c287", "_p_user" : "_User$HngzyE3Clx", "createdWith" : { "action" : "login", "authProvider" : "password" }, "restricted" : false, "expiresAt" : ISODate("2018-01-05T01:30:30.838Z"), "installationId" : "bcf5b055-3b1c-4dc2-a405-5e04a5a1c3ad", "_created_at" : ISODate("2017-01-05T01:30:30.838Z"), "_updated_at" : ISODate("2017-01-05T01:30:30.838Z") }
{ "_id" : "iHVJWkOFsV", "_session_token" : "r:97ee17db8bc95ad6b657abb84aec39cb", "_p_user" : "_User$HngzyE3Clx", "createdWith" : { "action" : "login", "authProvider" : "password" }, "restricted" : false, "expiresAt" : ISODate("2018-01-05T01:30:30.864Z"), "installationId" : "bcf5b055-3b1c-4dc2-a405-5e04a5a1c3ad", "_created_at" : ISODate("2017-01-05T01:30:30.864Z"), "_updated_at" : ISODate("2017-01-05T01:30:30.864Z") }
{ "_id" : "SxZux6gBcs", "_session_token" : "r:748b0629fad3537c64bdff4f16eb66b6", "_p_user" : "_User$HngzyE3Clx", "createdWith" : { "action" : "signup", "authProvider" : "password" }, "restricted" : false, "installationId" : "c48adf7f-7b67-4a68-a7b0-91422c3141d2", "expiresAt" : ISODate("2018-01-03T09:25:13.906Z"), "_created_at" : ISODate("2017-01-03T09:25:13.906Z"), "_updated_at" : ISODate("2017-01-03T09:25:13.906Z") }
{ "_id" : "wVY87z45Rd", "_session_token" : "r:1aaa34b479dbc40a98b92895fde3c210", "_p_user" : "_User$HngzyE3Clx", "createdWith" : { "action" : "login", "authProvider" : "password" }, "restricted" : false, "expiresAt" : ISODate("2018-02-23T13:12:54.912Z"), "installationId" : "ee8b543c-3108-43ef-85e8-383614581082", "_created_at" : ISODate("2017-02-23T13:12:54.912Z"), "_updated_at" : ISODate("2017-02-23T13:12:54.912Z") }
{ "_id" : "YQ8jGPOkdy", "_session_token" : "r:501c602c40834ef82637300847ce0d3d", "_p_user" : "_User$HngzyE3Clx", "createdWith" : { "action" : "login", "authProvider" : "password" }, "restricted" : false, "expiresAt" : ISODate("2018-02-23T13:12:55.494Z"), "installationId" : "ee8b543c-3108-43ef-85e8-383614581082", "_created_at" : ISODate("2017-02-23T13:12:55.494Z"), "_updated_at" : ISODate("2017-02-23T13:12:55.494Z") }

If you look at the session for installation id bcf5b055-3b1c-4dc2-a405-5e04a5a1c3ad they are actually just few milliseconds apart which looks weird…

{ "_id" : "BVMouretHK", "_session_token" : "r:25d3e52c371386b56e96d0f9b839c287", "_p_user" : "_User$HngzyE3Clx", "createdWith" : { "action" : "login", "authProvider" : "password" }, "restricted" : false, "expiresAt" : ISODate("2018-01-05T01:30:30.838Z"), "installationId" : "bcf5b055-3b1c-4dc2-a405-5e04a5a1c3ad", "_created_at" : ISODate("2017-01-05T01:30:30.838Z"), "_updated_at" : ISODate("2017-01-05T01:30:30.838Z") }
{ "_id" : "iHVJWkOFsV", "_session_token" : "r:97ee17db8bc95ad6b657abb84aec39cb", "_p_user" : "_User$HngzyE3Clx", "createdWith" : { "action" : "login", "authProvider" : "password" }, "restricted" : false, "expiresAt" : ISODate("2018-01-05T01:30:30.864Z"), "installationId" : "bcf5b055-3b1c-4dc2-a405-5e04a5a1c3ad", "_created_at" : ISODate("2017-01-05T01:30:30.864Z"), "_updated_at" : ISODate("2017-01-05T01:30:30.864Z") }

Please let me know if you need more details.