staff interface should check authentication session more frequently
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Evergreen |
Confirmed
|
Medium
|
Galen Charlton |
Bug Description
Currently, the staff interface (both Angular and AngularJS) will check to see if the user login session is still active.
That check occurs at an interval of the relevant inactivity timeout + 5 seconds (adjusted to be no more frequently than once a minute and no longer than a Javascript integer size limitation).
The check invokes open-ils.
Consequently, if the session is checked by the staff interface very infrequently, the authtoken will get increasingly likely to get prematurely evicted from the memcached cache due to it's LRU (least recently used) eviction algorithm.
As a consequence, it can be possible for somebody to log in to Evergreen in the morning, wait a couple hours, come back and see that the staff interface is still logged in, then try an action only to see the staff interface log itself out.
A better outcome would be for the session to still be active (up to the configured inactivity timeout) or for the staff interface to have at least logged itself out.
open-ils.
As a side note, there could be a distinction between how frequently the staff interface checks whether it's been used recently versus how frequently that check includes attempt to retrieve the auth session. The former might support something like obscuring the UI until the user wakes it up.
Evergreen 3.8+
Changed in evergreen: | |
importance: | Undecided → Medium |
tags: | added: angular angularjs authentication |
Changed in evergreen: | |
assignee: | nobody → Galen Charlton (gmc) |
See also bug 1753565; changing session storage to Redis or PostgreSQL unlogged tables or any that isn't competing with cover images and search results for cache storage may reduce or obviate the need for this.