darren1988
commented
2 months ago Some useful (or maybe not) info to help with this task:
The MoJ Forms team carried out a spike back in early 2023 to explore this issue within their platform. The outcome of the spike is here:
The team implemented option 3a. A link to the figma designs is here: https://www.figma.com/design/t0e1WcBWPonQeEO33QJC6n/MoJ-Forms?node-id=5569-40361&t=GXgDTD3Ta5KpYqZc-0
I was pretty sure that this approach was signed off by cyber but I can't seem to find the email. I'll reach out to Matt Tei who was the TA at the time.
jamesstottmoj
Describe the bug.
When a user logs in to the Control Panel, their session length is 1 hour. When this expires, they are redirected to a page that states there is a problem with their session, with a link to "reset your session":
To Reproduce
Expected Behaviour
This information is not accurate - there is no "problem" with the session, it has simply expired. Therefore as a minmum, the text on this page should be updated to more accurately reflect the issue e.g. "Your session has expired, please click here to log back in".
However, now that the MFA requirement was disabled in https://github.com/ministryofjustice/analytical-platform/issues/4557 we may have the opportunity to now implement a session refresh mechanism, so that we log the user back in programatically, removing the need for the redirect. We should be able to limit this "session refresh" for to a set time period (e.g. 12 hours) before we then redirect the user, and prompt them to manually log back in.
Additional context
Some further reading: https://auth0.com/docs/secure/tokens/refresh-tokens https://auth0.com/blog/balance-user-experience-and-security-to-retain-customers/