Redirect to login page after session timeout

enonic / xp

Enonic XP

https://enonic.com

GNU General Public License v3.0

202 stars 34 forks source link

Redirect to login page after session timeout #7981

Closed sgauruseu closed 4 years ago

sgauruseu commented 4 years ago

Case 1 Set session.timeout = 2 in com.enonic.xp.web.jetty.cfg then restart XP

Login to XP, navigate to Settings, for example
Wait for the session expired. Expected: Redirect to login page after session timeout Actual - New button is enabled, click on the button - wizard loads

Type a name - Save button is enabled. Refresh the wizard in browser - Login Page loads

Case 2 The same issue after you stop the server then restart it again.

Actual - Browse panel (previous session) is available, click on New button - New Content dialog loads:

rymsha commented 4 years ago

Case 1. Theoretically you need to wait infinite amount of time to get session expired, due to status ping. Need better explanation.

Case 2. Is less valuable as servers don't get restarted often in production often (currently)

Either way fixing this bug would prevent us from correctly implementing #7924 and #7529

sigdestad commented 4 years ago

Not entirely correct, the session would time out if you are disconnected for a while. However, the idea behavior should be discussed

rymsha commented 4 years ago

@sgauruseu and I discussed it internally. The correct behavior may depend on an application: in CS it would be best to show a toast saying that game is over and it is best to copy paste big parts of texts somewhere else and relogin. in Users app due to its security nature and not so much work to loose - redirect to login is probably a good idea. Applications app also doesn't do much about connection loose/session expiration, but maybe it is least important one.

Anyway XP can do little to nothing how frontend should proceed connection or permission loss.

So, we agreed that @sgauruseu will file issues for improvements for each application individually.