Knack Application prompting "Validate your session": Our users can't log in

Our Knack application which has been running without issue for a long time started prompting our users today with a “Validate your session”. Our application is embedded in an HTML wrapper and uses Google SSO to logon.

It happens in both Chrome and Edge

It seems clearing all browser cache and cookies will allow it to work for a little while and then the error returns.
image

Clicking on Validate your session just causes an endless spinning wheel

Chrome shows the following issues:
image

Invalid ‘X-Frame-Options’ header encountered when loading ‘https://us-east-1-renderer-write.knack.com/’: ‘‘allow-from’ https://us-east-1-renderer-write.knack.com’ is not a recognized directive. The header will be ignored.

The server address us-east-1-renderer-write.knack.com appears to be uncontactable. image

Any ideas would be greatly appreciated.

Recommend reporting to support@knack.com :blush:

Hi @AdrianBell27622 - we’re sorry for the trouble you and your users are experiencing.

This is related to an update we deployed yesterday to embedded app settings, that lets you select the way browsers will handle logins for your embedded app.

The new default option is cookies, which can be blocked by an individual’s browser settings. When using this option, we suggest informing your users to enable third party cookies in their browser settings. This “Validate” button you’re seeing is related to cookies being enabled but blocked by the browser.

The alternative option is tokens which is less secure, but a more seamless login experience. You can update this from your builder under Settings > User Logins > Embedded Login Security:

Do keep in mind the usability and security trade-offs, which you can learn more about here: Embedded Login Security Settings.

Thank you for posting here, and let us know if you have any further questions.

Thanks Jessie. Switching to tokens has allowed our app to return to the previous (working) behaviour.

I note that it should work with third-party cookies. However, we have the default setting of only blocking third-party cookies in incognito.

Should I add our domain name to the sites that always use cookies? Or perhaps might there be a problem with our HTML wrapper code that is preventing the save of a cookie?