Evergreen 2.12+
Sometimes the browser client fails to automatically log out the authenticated staff member and redirect to the login page. I left 2 tabs open over night (running master) and they both failed to redirect. The JS console showed no errors, just the regular auth session polling.
My theory is its a result of how the browser client determines if a session is still valid. Unlike the XUL client, which simply fails in real-time if an action is attempted on a stale session, the browser client polls for session validity at regular intervals. (The goal here is to force the page to refresh, since it may contain sensitive data). This polling is likely resetting the session timeout, essentially forcing the session to be valid indefinitely.
One solution may be to add a "no-timeout-reset" parameter to open-ils.auth.session.retrieve (used by the poller) so that it can fetch the auth session without magically resetting the timeout.
--
Note there is an OUS "ui.general.idle_timeout" responsible for minimizing the XUL client after a period of inactivity. It or similar behavior should be ported to the browser client, but since we can't guarantee a value for this setting will be applied, we can't rely on it as a way to force the session to log out in the browser.
More info: the issue appears to require having multiple tabs open. A single tab polls at slightly longer than the auth timeout, so it normally attempts to retrieve sessions after they have expired, allowing the log out to proceed. With multiple tabs, though, action in either tab extends the auth session, causing the polling to get out of sync.
We could resolve this by moving the polling into a shared worker, but I prefer the API change because avoiding session-extension when polling seems like a good thing to do anyway. Plus, it could be useful in other contexts.