Evergreen

staff interface should check authentication session more frequently

Bug #2034956 reported by Galen Charlton
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Evergreen
Confirmed
Medium
Galen Charlton

Bug Description

Currently, the staff interface (both Angular and AngularJS) will check to see if the user login session is still active.

That check occurs at an interval of the relevant inactivity timeout + 5 seconds (adjusted to be no more frequently than once a minute and no longer than a Javascript integer size limitation).

The check invokes open-ils.auth.session.retrieve in such a way that the session's expiration time doesn't get advanced, but the mere action of retrieving the key does count as a use by memcached.

Consequently, if the session is checked by the staff interface very infrequently, the authtoken will get increasingly likely to get prematurely evicted from the memcached cache due to it's LRU (least recently used) eviction algorithm.

As a consequence, it can be possible for somebody to log in to Evergreen in the morning, wait a couple hours, come back and see that the staff interface is still logged in, then try an action only to see the staff interface log itself out.

A better outcome would be for the session to still be active (up to the configured inactivity timeout) or for the staff interface to have at least logged itself out.

open-ils.auth.session.retrieve calls are cheap enough that checking every minute might well be reasonable, even in a consortium whose staff users all run with twenty open browser tabs apiece, but doing it only 5 or 10 minutes would still be meaningful.

As a side note, there could be a distinction between how frequently the staff interface checks whether it's been used recently versus how frequently that check includes attempt to retrieve the auth session. The former might support something like obscuring the UI until the user wakes it up.

Evergreen 3.8+

Galen Charlton (gmc)
Changed in evergreen:
importance: Undecided → Medium
tags: added: angular angularjs authentication
Revision history for this message
Galen Charlton (gmc) wrote :

See also bug 1753565; changing session storage to Redis or PostgreSQL unlogged tables or any that isn't competing with cover images and search results for cache storage may reduce or obviate the need for this.

Revision history for this message
Jason Boyer (jboyer) wrote :

Marking confirmed because I've seen memcached evictions around 10 minutes after login for some systems, which is not great if the client won't check the authtoken automatically for several hours.

Changed in evergreen:
status: New → Confirmed
Revision history for this message
Jason Boyer (jboyer) wrote :

Here's a branch that just hard-codes the session check at 3 minutes. That should be frequent enough to be useful for resetting the memcached LRU without making the calls too frequently and swamping services.

https://git.evergreen-ils.org/?p=working/Evergreen.git;a=shortlog;h=refs/heads/user/jboyer/lp2034956_this_old_authtoken / working/user/jboyer/lp2034956_this_old_authtoken

Galen Charlton (gmc)
Changed in evergreen:
assignee: nobody → Galen Charlton (gmc)
Revision history for this message
Terran McCanna (tmccanna) wrote :

Adding pullrequest so it gets more attention

tags: added: pullrequest
Revision history for this message
Jason Boyer (jboyer) wrote :

setInterval() mistake removed and setTimeout branch restored. Guess I should have edited my previous rather than delete, but too late for that now.

Revision history for this message
Galen Charlton (gmc) wrote :

Signoff pushed to working/user/gmcharlt/lp2034956_signoff along with a lint fix. Equinox has had this in production for about four months.

tags: added: signedoff
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.