Mounting lv:phx-{id} failed while verifying session with: :invalid


We get this message showing up in our logs with level error:

Mounting lv:phx-tKo+aTpm failed while verifying session with: :invalid

I’ve found that it’s probably caused by the fact that we previously deployed it with a liveview signing salt different than the one we use now. So some users had incorrectly signed sessions. At first I had many different lv:phx-ids strings but since I asked our users to clear their cookies (it’s a beta app with a few test users), I only see errors with a single lv:phx-id. For some reason logging out and in again wasn’t enough to get rid of those invalid session errors, despite the session cookie being apparently overwritten, which is a bit mysterious to me. The problem is I can’t figure out what user is triggering these errors. I tried digging into the code and ETS tables but couldn’t find where this id comes from and how to link it to a user of our app (we use Phauxth). So any info regarding this would be very much appreciated.

Also I’m wondering if error is the correct log level for something like this? Shouldn’t it be warning, as it’s not really an execution error, but rather a client error? I’m asking because I’ve set up logging so that it sends us alerts on our chat room for level error but in this case it’s not really an emergency, just noise in the logs.

Shouldn’t it be warning, as it’s not really an execution error, but rather a client error?

Nginx also logs errors for invalid passwords, which tends to show this is standard practice.

(post withdrawn by author, will be automatically deleted in 24 hours unless flagged)

LiveView session signing mechanism uses both secret_key_base and LiveView signin_salt configuration parameters. Both strings must not change between deployments otherwise existing sessions become :invalid.

1 Like