Session Expired error message confuses users

[kevinmoilar]

The plugin throws an error if the user session expires. This is expected behavior from openid-connect-generic-dev/includes/openid-connect-generic-client-wrapper.php but users think they did something wrong because it says "Error". It might be good if the word "Error" did not appear on the screen that is correctly informing users that (and why) they need to login again.

[Glowsome]

In my opinion if a timeout of that sort does occur it should hard-redirect back to the IDP - avoiding the 'error' dialogue. Next to that,(personal observation) clicking away the error popup still makes you see content of the WP-site. This should not happen.

[timnolte]

@Glowsome so I haven't seen only the modal popup version of the session timeout occur, I have seen the full page redirect to the login page occur. Although I think this may depend on whether you have Button or Auto SSO configured. I will say the just automatically redirecting users is not good because there is no way to display a message to the user to inform them of why they were just redirected to the IDP. I'm open to a revision of the error message but ultimately not everyone is going to be happy with the error message text so providing a filter might be best for those that want it to be something different.

[Glowsome]

@timnolte i on my end have the auto SSO login option configured, however if i were to have logged in (as a user who has admin-privileges), and just having like ( in my case) having the plugin-config page open it will spawn the popup that my authenticated has gone away and i need to re-auth. However if i were to forefully click the [x] on the popup it will allow me to view the data provides.

IMHO this is unwanted behaviour, so to get back to the issue is that when a timeout does occur one should forcefully redirect to the IDP for re-auth, not showing potentially sesitive data.

[timnolte]

So I can see ensuring a redirect to the WordPress login screen but no application that I have used with SSO, and an IDP, just automatically redirects the user to the IDP without warning. The application that has been logged into should inform the user that their session has timed out and that they must re-authenticate.

[timnolte]

I would also say that being logged into a WordPress site as an admin and just walking away and expecting session timeout and redirection is a bad practice. If you are worried about plugin settings being exposed you should be doing your work and logging out.

[timnolte]

Also, if you are walking away from your computer without locking your screen that is also a bad security practice.

[timnolte]

I'm also pretty sure that WordPress is presenting the modal popup re-authentication because there is unsaved work on that screen that it is giving the user an opportunity to be able to re-authenticate without losing their in progress work.

[Glowsome]

@timnolte in al above arguments i can agree, still this doenst secure just the case given. in this all arguments given are all reflected agaist the 'human' - factor. This from my point makes results - depending on user unreliable, and opens the gate to unwanted manipulation.

[timnolte]

I'm not so sure about "unwanted manipulation" as someone wouldn't be able to make edits as any submission of a screen, after closing the pop-up, would fail due to WordPress session checks. I'll also point out that this has nothing to do with the functionality of this plugin as that behavior is all how WordPress Core works out-of-the-box.

[Glowsome]

The part about unwanted/unsollicited manipulation is opened when an IDP session is (still) active over the timeout of re-authentication on the application-side, meaning when the popup does occur in/on WP. On the one hand if a session exists (and has not timed out) it should not produce the popup, but should redirect me back to the IDP to adequately let me re-auth, and then send me back to the page i was on. On the other hand if a/the timeout occured at the IDP, this means that any means of acces to information ( regardless of a popup stating my session has expired) should redirect me back to the IDP for re-auth, and should never leave me on the page in WP i am on just because i was there and exposing all settings.