Fixes Session timeout error #2896 and #2897 #2898
Conversation
…ect_home_on_session_expiration
Reload approach seems more user friendly as it handles loading of publicly available albums better Also removed unnecessary log calls
* improve version wording * Update resources/views/install/requirements.blade.php Co-authored-by: Martin Stone <1611702+d7415@users.noreply.github.com> --------- Co-authored-by: Martin Stone <1611702+d7415@users.noreply.github.com>
…eeOrg#2877) --------- Co-authored-by: Martin Stone <1611702+d7415@users.noreply.github.com>
Handled translation string according to comment from reviewer
| @@ -11,8 +22,12 @@ const AxiosConfig = { | |||
| axios.interceptors.request.use( | |||
| // @ts-expect-error | |||
| function (config: AxiosRequestConfig) { | |||
| const token = CSRF.get(); | |||
| (config.headers as AxiosRequestHeaders)["X-XSRF-TOKEN"] = token; | |||
| try { | |||
There was a problem hiding this comment.
what error are you catching here ?
There was a problem hiding this comment.
It is the following error that I'm catching. Which happens after session has timed out. If we don't catch it then we get an uncaught exception in the browser console.
There was a problem hiding this comment.
Yep I saw that. I made quite a few changes to your implementation, can you check if that is working satisfactory for you ? :)
There was a problem hiding this comment.
Looks quite more like an elegant solution! :)
The try catch block in axios got me thinking. The cookie is set to expire with the session. As a result we can track this to know whether it has expired or not. Trigger a specific event which is capture by the Error page and display a modal instead of a default JS alert. This is UI and UX friendlier.
|
The Session Expired dialog appears even though user is not logged-in and tries to open a publicly available album. Is that the desired behaviour? |
|
At the moment, the user seems to be redirected to |
definitely not. |
|
Seeing the below errors when navigating to "Settings" |
|
That is so weird, because I do not have that same behaviour here. O.o |
|
Wait... Are you on http or https ? |
I'm on http |
|
So I see what you mean with the dialog popping up if you e.g. open an album while you spent too much time on the page... |
|
So I figured it out. The CSRF check is as follows: public function handle($request, Closure $next)
{
if (
$this->isReading($request) ||
$this->runningUnitTests() ||
$this->inExceptArray($request) ||
$this->tokensMatch($request)
) {
return tap($next($request), function ($response) use ($request) {
if ($this->shouldAddXsrfTokenCookie()) {
$this->addCookieToResponse($request, $response);
}
});
}
throw new TokenMismatchException('CSRF token mismatch.');
}The The function Following the code path, we see the two following important functions: protected function isReading($request)
{
return in_array($request->method(), ['HEAD', 'GET', 'OPTIONS']);
}and this (which previously was always used). protected function tokensMatch($request)
{
$token = $this->getTokenFromRequest($request);
return is_string($request->session()->token()) &&
is_string($token) &&
hash_equals($request->session()->token(), $token);
}Conclusion: GET, HEAD, and OPTION request do not require the XSRF token. But if your session times out, and try to access a protected folder you will get a 401. Note that your original middleware idea was leading to the same result as the behaviour you observed: triggering a error and refresh request but with the use of an extra cookie. Now the question: Should we have the XSRF token made mandatory for the GET requests of v6 or not? If not, then this requires a more difficult handling of 401 errors. |
|
@sancsin see latest commit, in the behavior change. :) |
Thanks for the detailed explanation. Really appreciate it. Now I understand a little better. I think the behaviour now is quite good even though the session timeout dialog is shown when the user is logged-out and tries to access public album. I don't know if you noticed though, with the cookie approach this issue was not there. |
I made a new commit as a suggestion to handle the cases where the SessionExpiredReload dialog was not closing when user clicks on Go to gallery button. |
ildyria
changed the title
Fixes #2896 and #2897 by providing clear feedback to the user. The fix does so by using a middleware that creates a cookie to compare the elapsed time since a user last logged-in and the session lifetime configuration setting. If elapsed time exceeds the session lifetime, a SessionExpiredException is thrown. This error is also caught in the front-end through axios interceptor to inform the user using an alert that the session has expired. Once the user clicks on "OK", the page reloads. Reloading page provides expected behaviour. For example, if the user clicks on an album that is public, the page will reload and the now guest user, will still be able to browse the public album. However, if the user clicks on an album that is not public, the page will reload and provide clear exception feedback to the user that they are not authorized to view the album/page since their session expired.
Another scenario that this fix provides better user experience for is when the user is on a navigated page that is provided through the left menu. Once the session expires and the now guest user tries to access any of the pages that they should not have access to, they are clearly provided with the session expired alert. Furthermore, the page reloads instead of showing errors that don't make sense for the user, such as the ones described in #2897.