[Dev mode] Vite page reload cancels redirection to the logout page when an authenticated session is invalidated

[mcollovati]

Description of the bug

Given an application with views protected by authentication (HttpServletRequest.getUserPrincipal() != null) and a logout functionality that redirects the browser to a public page, if frontend reload is enabled (Vite client) on logout the redirection is cancelled and the current page is reloaded.

This happens because the Vaadin Vite websocket proxy gets closed on session invalidation, and Vite client performs a page reload concurrently with the redirection issued by the logout process via HTTP Location header.

Expected behavior

The browser is redirected to the configured logout landing page.

Minimal reproducible example

• Clone or download the Flow spring starter from https://github.com/vaadin/skeleton-starter-flow-spring

• Add Spring Security starter dependency to the POM file

       <dependency>
           <groupId>org.springframework.boot</groupId>
           <artifactId>spring-boot-starter-security</artifactId>
       </dependency>

• Create the following views

  @Route("login")
  @AnonymousAllowed
  public class LoginView extends Div {
     public LoginView() {
        LoginForm form = new LoginForm();
        form.setAction("login");
        add(form);
     }
  }
  
  @Route("session-ended")
  @AnonymousAllowed
  public class LogoutView extends Div {
      public LogoutView() {
          add(new H1("Landing view"));
          Anchor homeLink = new Anchor("/home", "Home");
          homeLink.setRouterIgnore(true);
          add(homeLink);
      }
  }
  
  @Route("home")
  @RouteAlias("")
  @PermitAll
  public class MainView extends VerticalLayout {
      public MainView(AuthenticationContext authCtx) {
          add(new Button("Invalidate session and redirect", ev -> authCtx.logout()));
      }
  }

• Configure Spring Security to redirect to LogoutView after logout

  @Configuration
  public class SecurityConfig extends VaadinWebSecurity {
      @Override
      protected void configure(org.springframework.security.config.annotation.web.builders.HttpSecurity http) throws Exception {
          super.configure(http);
          setLoginView(http, "/login", "/session-ended");
      }
      @Bean
      public UserDetailsManager userDetailsService() {
       UserDetails user =
               User.withUsername("alice").password("{noop}alice").roles("USER").build();
          return new InMemoryUserDetailsManager(user);
      }
  }

• Enable frontend hotdeploy, both on vaadin-maven-plugin configuration and application.properties

  <plugin>
     <groupId>com.vaadin</groupId>
     <artifactId>vaadin-maven-plugin</artifactId>
     <version>${vaadin.version}</version>
     <configuration>
        <frontendHotdeploy>true</frontendHotdeploy>
     </configuration>
     ...
  </plugin>

  vaadin.frontend.hotdeploy=true

• Start the application, enter the user credentials on the login page and submit the form. On the main view press the Invalidate session and redirect button.

• Observe that the login page is shown instead of the logout view

If you disable frontend hotdeploy and try again, after logout the browser is correctly redirected to the logout view.

Versions

• Vaadin / Flow version: 24.6 (Most likely also all previous versions)
• Java version: 21
• OS version: Linux