Some questions in addition to Ray's:

How are you authenticating (through Web Access login page or LFDS SSO)?

What's the exact Web Access version number?

Are the users using the 'Stay signed in' checkbox on the Web Access login page?

Is this on LF Cloud?

Sorry for the lack of details.

We are authenticating through LFDS SSO

Web Access version number is 10.2 (10.2.0.150)

This is a local installation, not LF Cloud.

This happens at least in Firefox and Chrome.

I do not have a "Stay Signed In" option on the LFDS login, although the option is checked in the web access config

As far as what it looks like, in the past, web access will pop up a dialog on the same page requesting authentication, now the web access tab does not change, but a new LFDS login page, i.e. https://lfds.fqdn.com/LFDSSTS/Login?origialPathAndQuery=etc." pops up in a new tab every 10 seconds or so

Hi Jesse, 

Sorry for the late response. I recommend opening a support case. Please link back to this answers thread in the case you open. 

Also, when opening the case, here are a few more follow up questions we have:

1. Does it happen with 1 user or all users?

2. What interface do users see when they get prompted with the new tab (Folder Browser, Doc Viewer, Management)?

3. Does it happen for all the time? Or only for full session timeouts?

It would also be useful if you could get the text event logs from C:\programData\Laserfiche\WebAccess\EventLogs (set log level to Debug) and a fiddler trace while reproducing the issue. 

Jesse, 

As an update, we are able to reproduce the issue internally.  Can you check the text event logs (c:\programData\Laserfiche\WebAccess\EventLogs) to see if calls to /laserfiche/RepositoryServiceW.ashx/SessionKeepalive fail with the message 'Invalid Connection'?

If so, we believe you're encountering a bug that occurs when LFDS SSO is enabled while the 'Idle Disconnect' feature (configuration page->settings tab) is enabled. The setting is causing keep alive requests to be sent from the browser to the Web Client server after the IIS app pool has been recycled. At this point, the Web Client session and LFDS global session have both expired, so each keep alive request causes the browser to redirect to the LFDS login page in a new tab. 

The workaround is to disable the Idle Disconnect feature for the time being. We filed a bug report for this issue (SCR154604 for your reference) and plan on fixing the issue in an upcoming release. 

Thanks for looking into this. I actually do not see this error show up anywhere in the logs in the c:\programData\Laserfiche\WebAccess\EventLogs folder. The only recurring error in the event log that seems to have anything to do with this is 'Laserfiche.LicenseManager.TokenNotRenewableException', however I can't say for sure that this was thrown at the same time that the additional tabs were being created. As it happens, when I got back from lunch today I came back to several dozen login tabs after having accidentally left Web Access logged in, but there is nothing in the WebAccess\EventLogs folder. There is, however, a Critical error in the Event Viewer for WebSTS from the time when this was happening, which says the following: 

ID4243: Could not create a SecurityToken. A token was not found in the token cache and no cookie was found in the context.

Hi Jesse,

We made a fix that we hope will resolve this issue in recently released Web Client 10.2.1. You can get the fix by simply installing the last Web Client version.

We're not 100% sure that the defect we fixed is the same one that you're seeing, so if the issue persists, please post the results here and open up a case with Laserfiche Support.

Thanks!