Skip to content

Fixes session issues and recursive auth/refresh

Sam Sehnert requested to merge features/auth_csrf_handling_improvemnts into master

Add CSRF cool-down, and improve inter-tab communication

What I did

  • Added debugging on events system for cross-tab session handling
  • Significantly improved CSRF token updating
  • Improved code commenting in site_js_view and session.js

Implications

Session timeouts should be much more tolerable.

Setup

No setup required.

How to test

Easiest way to test is to turn down your sess_expiration, sess_time_to_update, and csrf_expire settings in site/application/config/config.php. Log in to the system, open a couple of other tabs and wait for the timeout.

All tabs should show a login box after timeout, regardless of refresh order, ajax calls, etc, etc.

When you log in again, make sure to test logins before and after CSRF expiry, and ensure all tabs are now logged in correctly.

Task: {{link}}

Merge request reports