Expire when directly submit form after coming back

[royduin]

Laravel Caffeine refreshes the CRSF token every drip-interval and refreshes the whole page when the session almost expires; outdated-drip-check-interval before. But... when I open the Laravel application, close my Macbook and go to sleep. The next morning I open my laptop and I'm trying to submit the form I'm getting the expired page. Maybe we can check on window focus and refresh the token? See: https://stackoverflow.com/questions/3478654/is-there-a-browser-event-for-the-window-getting-focus

If this is a good idea I could create a PR for this, but first I'd like to discuss this if it's a good of bad idea.

[mikebronner]

I would love a PR for this, if there is a way to elegantly handle the timeouts. I could see redirecting to the login page if the drip encounters a timed-out session.

[barryvdh]

Perhaps you could use something like this: https://github.com/ai/visibilityjs Which will trigger events also when returning from a background tab etc. Not sure if that fits your case (or a global case), but might help.

[royduin]

But what are we going to do when we get the focus event? Reload isn't always wanted but needed in my use case, when we just switch tabs the page will reload in that case.

Maybe @barryvdh his other suggestion (suggested on Slack): https://blog.alexmaccaw.com/javascript-wake-event is a better idea because we're already counting for the outdated-drip-check-interval.

[barryvdh]

If the drip is not run in that interval (because of inactivity), you will need to redirect to the login page always, because the session is already expired.

[mikebronner]

@barryvdh Thanks for the suggestion, I will take a look at that. :)

@royduin I think that kind of logic does beyond what I envisioned for this package. I think we should take it step-by-step and first just handle timed-out sessions.

I guess an option would be to show the login page in a popup, and then close the popup once logged in? That could provide the ability to preserve form data as we don't refresh or reload the timed-out page.

What is the user-flow you are proposing, @royduin ?

[royduin]

The session timeout when logged in isn't my problem, the csrf expiration is. When I set session.lifetime to 10080 a user has to login again after 1 week. But with that session lifetime the csrf tokens expires when going to sleep and opening up next morning, they have a different lifetime?

[mikebronner]

@royduin Unless something changed, the CSRF should expire with the session. It is also recommended to keep the session lifetime as short as reasonable possible, to prevent abuse. I'm not completely clear on your exact use-case, but it sounds like there may be other issues and functionality involved that goes beyond what this package is intended to do?

The only purpose of this package is to extend the session for long forms, so that they don't time out. Additional functionality like page reloads, etc. is not what this was meant for. Since I'm still unclear as to exactly what it is you're trying to achieve, could you list out each step of the user flow for me?

Sorry for all the additional inquiry, but unless I understand the problem, I can't be very helpful in working toward a solution. My current understand of the problem is this:

1. User shops on your site, adds things to shopping-cart.
2. The user doesn't follow through before the session times out.
3. The shopping cart content is lost.

Does that sum it up correctly? Are you using an e-commerce package, or something you created yourself? Is the shopping cart in the same domain as your site (not in a sub-domain or other cookie domain)? There are so many factors that can contribute to sessions timing out, it's almost impossible to debug like this.

I think it would be helpful first to identify why your cart session is timing out (CSRF token is the same as the session, unless you are doing something differently), and fix that issue first. After that, it would be feasible that this package would work for you.

[royduin]

Thanks for helping out @mikebronner; it's just a Laravel web applications where users can login. Having the login page open, close your laptop and open it the next morning and try to login results in a csrf token expiration / session timeout. To reproduce;

1. laravel new caffeinetest
2. Setup a database and change the credentials in the .env
3. Change SESSION_LIFETIME to 1440 in the .env
4. php artisan make:auth
5. php artisan migrate
6. composer require genealabs/laravel-caffeine
7. Open /login in a browser and close your laptop
8. Go to sleep
9. Wake up, open your laptop and login directly

[mikebronner]

Thanks @royduin for clarifying. Yes, I believe we can implement that functionality. Let me take a stab at it this weekend. Here are my thoughts on the process:

1. Perform the drip as per usual.
2. Inspect the response for HTTP status code provided when session times out.
3. If timeout found to have occurred, refresh current page. The auth middleware should catch this and redirect to login page, then redirect back after logging in.
4. The drip will resume as per usual, since the session has been re-established.

If you would like to take a stab at this with a PR, that would be great. If not, I will probably start looking at this (and other issues opened on this project recently) this weekend. :)

[mikebronner]

This may be addressed with in the latest version. Closing for now.