But, starting a couple of weeks ago we started getting strange behaviour: some users reported getting logged out at various, seemingly random, times. We ruled out all the obvious causes, went through all the changes in our most recent release, but could not see what was going on. It wasn’t specific to any particular user, browser, request, network, operating system or time of day. Or anything else we could think of. We added diagnostic code and all that told us was that after a few hundred perfectly normal Ajax requests suddenly and without any apparent cause there was no cookie included with a request and our Desktop would respond by asking the user to login again. After a few logouts this rapidly becomes unfunny.
Eventually we discovered that we had literally dozens of cookies stored against our domain name in the affected browsers with names like scayt_1__options. A quick search through our source found that our new version of CKeditor had changed so that now the ‘SCAYT’ (Spell Check As You Type) plugin is enabled by default – and that integration creates literally dozens of cookies to hold your spelling preferences!
The browsers didn’t send all these cookies to us every time – they have different Paths to most of our app – but those browsers did discard the much more important Session cookie randomly – because browsers guarantee surprisingly little with regards to the retention of cookies.
Once we’d identified the problem the solution was easy: disable the plugin.