Comment 16 for bug 1036318

Jason Stephenson (jstephenson) wrote :

Jeff Godin's monologue from IRC today:

(10:02:44 AM) jeff: csharp: if you can, i'd start with finding the "successful login" log entry for the user + workstation in question for the day that they had the problem, then look at log entries having that auth token.
(10:03:14 AM) jeff: in your case, it sounds like it will be a little noisy due to their xul interfaces still working.
(10:04:09 AM) jeff: oh.
(10:04:20 AM) jeff: hey, this might be it.
(10:04:30 AM) jeff: how long is your staff login timeout?
(10:05:26 AM) jeff: can you trace apache access logs back to individual machines, or are they all behind NAT with a bunch of other machines?
(10:05:53 AM) RoganH left the room (quit: Ping timeout: 265 seconds).
(10:06:18 AM) jeff: say your staff login timeout is 3600 seconds. tpac pages will all get a meta refresh tag that redirects to the logout page after 3600 seconds.
(10:06:32 AM) jeff: if they have a tab open and idle for an hour, it'll log their tpac session out, killing the cookie.
(10:07:04 AM) jeff: even if they have been active in another tpac tab during the meantime.
(10:09:40 AM) jeff: so if you can go from individual machine to apache log entries, i'll bet you see a logout.
(10:09:53 AM) jeff: (a tpac logout url request from the client)
(10:10:29 AM) jeff: if your timeout is so long that they couldn't possibly have had a tpac tab open and idle for that long after logging in, then that's probably not it.
(10:11:11 AM) jeff: arguably, staff tpac pages shouldn't have that meta refresh, and also shouldn't have a logout link.

The above appears to be what is happening in the majority of our cases.

To put it succinctly, staff have a tpac search tab open and idle for more than the staff activity timeout. When that refresh kicks in, the cookie that holds their credentials for the TPAC session within the staff client gets killed. However, the actual authtoken used by the staff client still works because its expiration is reset as they continue to use the staff client. This would explain why the tpac sessions within the staf client ask for a login but the staff client doesn't.

One way of mitigating this would be to remove the refresh from tpac pages loaded in the staff client. I'll throw up a branch in a few that attempts to do this.

I don't want to steal Jeff's thunder or speak for him, but I believe he is also looking into a more comprehensive fix that involves adjusting or not using the cookie in the staff client.

Inevitably, though, I think losing the refresh on the tpac pages in the staff client is part of the solution, so doing so won't be wasted effort.