Webstaff fails to auto-logout in some scenarios
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Evergreen |
Fix Released
|
Medium
|
Unassigned | ||
2.12 |
Won't Fix
|
Medium
|
Unassigned |
Bug Description
Evergreen 2.12+
Sometimes the browser client fails to automatically log out the authenticated staff member and redirect to the login page. I left 2 tabs open over night (running master) and they both failed to redirect. The JS console showed no errors, just the regular auth session polling.
My theory is its a result of how the browser client determines if a session is still valid. Unlike the XUL client, which simply fails in real-time if an action is attempted on a stale session, the browser client polls for session validity at regular intervals. (The goal here is to force the page to refresh, since it may contain sensitive data). This polling is likely resetting the session timeout, essentially forcing the session to be valid indefinitely.
One solution may be to add a "no-timeout-reset" parameter to open-ils.
--
Note there is an OUS "ui.general.
Changed in evergreen: | |
milestone: | 3.0.1 → 3.0.2 |
Changed in evergreen: | |
assignee: | nobody → Galen Charlton (gmc) |
importance: | Undecided → Medium |
status: | New → Confirmed |
Changed in evergreen: | |
status: | Fix Committed → Fix Released |
More info: the issue appears to require having multiple tabs open. A single tab polls at slightly longer than the auth timeout, so it normally attempts to retrieve sessions after they have expired, allowing the log out to proceed. With multiple tabs, though, action in either tab extends the auth session, causing the polling to get out of sync.
We could resolve this by moving the polling into a shared worker, but I prefer the API change because avoiding session-extension when polling seems like a good thing to do anyway. Plus, it could be useful in other contexts.