Refresh after authentication time out

brian85

010101 even ticking the remember box i got this log out too on desktop chrome not on android. It can lead basic users to misunderstandings.

clarkwinkelmann

If you use the "remember me" feature, you will be logged out automatically after the same timeout, but the session will resume next time a request is made, effectively keeping you logged in. So you shouldn't experience a logout when checking "remember me".

As for the auto logout timeout, it was recently discussed here https://discuss.flarum.org/d/21562-login-session-timeout

Unless Flarum periodically pings the backend, I don't really see an option to show you have been logged out. (Plus, pinging would keep your session alive, which might or might not be desirable). Pusher could be used, but that would also require a job in the backend to trigger when your session expires, which is not possible without setting up something like a cron job.

010101

clarkwinkelmann Got it. It’s not important. Just something I noticed. I definitely wouldn’t want something pinging all the time. Maybe. I don’t know. WordPress has their heartbeat pinger thing for drafts and revisions and stuff. I think some people hate it, some like it. Some created plugins to make the heartbeat ping less frequently. But, this isn’t WordPress. It’s just always the only other system I’m familiar with. But, I don’t like comparing Flarum to it. Yet I do. What a conundrum.

[deleted]

@clarkwinkelmann can we not use a simple AJAX request to check the session state periodically ?

clarkwinkelmann

[deleted] absolutely. I'm not sure we should add it to core though, but it could perfectly be made as an extension.

brian85

clarkwinkelmann I'm not sure we should add it to core though,

In my opinion it should be a part of core, all that related to basic auth relies on core for me.

010101

nitaaikumar Good point. I think it’s just a paranoid bad habit? 😁

[deleted]

010101 A case of familiarity breeds contempt ? 🙂

cmcjacob

It does kind of seem like a core issue, especially if time has lapsed and the forum still indicates you are logged in. Seems like the core should properly log out the user if no session is detected - this may already be happening, but the frontend doesn't reflect it

On a dev forum, I frequent several accounts so "Remember me" isn't always a valid solution. Some would also consider this a security issue, since I believe certain data like notifications and recent threads in the affix sidebar are still exposed on a logged-out account. I'm almost certain this breaks the frontend logic for some extensions

Edit: there's also an issue on here on discuss when attempting to browse threads in that state. Scrolling through posts, you get can get hundreds of permission denied exceptions in a single topic alone, through casual scroll

clarkwinkelmann

cmcjacob what we'd need in core is a way to know if the permission denied is because of permissions or because of a logout. Then if you attempt anything that requires being logged in, we should refresh and open the login page.

If anyone has pointers to how other single page apps handle this, I'd love to take a look.

cmcjacob Some would also consider this a security issue, since I believe certain data like notifications and recent threads in the affix sidebar are still exposed on a logged-out account

It's true that some data is still available in the app until you refresh. But that's also true for any static page containing private data that you keep open in a tab. Most websites probably don't force a close/refresh of all existing tabs when the session expires in the background. My bank does that, but probably not many other websites.

tankerkiller125

clarkwinkelmann Banks and my companies internal applications and MS Office (Enterprise configured), but that's the only sites I've seen forcibly log a user out of a tab.

cmcjacob

@clarkwinkelmann I too am interested in how this is is handled in other standard SPAs, one idea is in the session
middleware. If any client presents an invalid session token, maybe some event/soft "session expired" exception is fired to the frontend (or as you described, a more authentic Logged Out exception would work as well). This would indicate the client stops trying to make requests with incorrect info, deletes the session etc

tankerkiller125 Most modern sites will accurately reflect your logged-in state after a new request, though. Instead, flarum shows you are still logged in, and incorrectly assumes that user will permanently remain that way.

I don't think this proposal is too ridiculous, this isn't "force logging out a tab" - your session is forcefully expired regardless. This is simply detecting an expired session when a new request is made, and the frontend updating itself to reflect the changed state. Flarum all-too-often tries to avoid state in every scenario, and this is an artifact of that practice. I believe there are extensions that would benefit from an accurate state, even if flarum wants to pretend otherwise.

Funny you mention banking, as I am working on precisely that.

nitaaikumar

tankerkiller125 Yes I agree. High security oriented websites need that kinda paranoid logging out. I think Flarum should always keep us logged in if we check the Remember me check box. The cookie should never expire till we delete the browser cache. Imagine if we have multiple Flarum communities to manage and they keep on logging us out eveywhere we switch on our computer or start our browser or even when we don't do both? Members will just stop signing in completely and become read-only members thereby greatly reducing participation. Flarum should be like a mobile app in the browser imho, login once and forget about it.

cmcjacob

nitaaikumar There's a huge difference in "paranoid logging out" and a frontend accurately representing the user's backend state.

Here's something you can imagine: imagine flarum actually telling you when you're logged out, instead of throwing thousands of errors when you resume to use the forum.

I get the feeling the entire issue went over your head. Yes it's logical to assume the user is logged in. No, it's absolutely not logical to be unprepared for the event their session expires.

nitaaikumar

cmcjacob I never said I am against "accurately representing the user's backend state" at all. Maybe I was wrong to talk about the benefits of "remember me" in this discussion which was about accurately representing the user's backend state. I thought it was on quite similar lines and it could offer an alternative solution to @010101 so I did. I also never replied to your posts telling you that I am against accurately representing the user's backend state or something like that. I just felt highlighting the awesome "remember me" and not diluting it should also be considered in this discussion but maybe I was wrong. We are open here in discussing all points of views and different angles of vision on a topic, aren't we?

Just like your vision is about accurately representing the state, my vision is about doing that same thing without diluting the "remember me". I never said accurately repesenting the state is not needed. I have seen forum softwares remove the "remember me" to "harden security" as they say. So my concerns are valid in raising this point in this discussion. I am not assuming that anyone is trying to take away the "remember me" or afraid that it will happen or disrupting or contradicting anyone's views here. I am just expressing how beneficial it has been so far in the discussion started by @010101, which he has also appreciated himself. What is the harm in that?

I was just adding to the discussion and the author @010101 also appreciated it,. There may be a chance that sometimes in trying to "accurately representing the user's backend state", this superb present always-logged-in session-never-expiring functionality via the "remember me" check box may have a chance to get removed, affected, or diluted. I have seen some other forum softwares make you login every single time at regular intervals to post and even more frequently to access their admin. I would not want that to happen to Flarum. It would make our lives so much more difficult. I was not only thinking about myself here, but also for all flarums's admins, mods and even the regularly posting members imho. In fact it would be great if the admin would open in the same tab so that we don't have to toggle between tabs to manage the forum and post. Only this was my concern nothing else. But maybe it was out of place here. I will keep quiet now.

cmcjacob

nitaaikumar Thanks, I will need to read more into your language when I have the time. it's conflicting and confusing at best
nothing I proposed would make your life more difficult. it's to fix errors

not suggesting Flarum removes the "Remember me" option. read into the issue before assuming people are trying to take your session away from you and make lyf3 h4rd

edit: this makes 3 times now you've edited your post. neither you or OP offered a "solution" to this, this is an outstanding issue. I'll be happy to discuss it with people who understand it (preferably on issue tracker)