Autologout can log out out from other tabs/windows

A proposed solution patch to this issue. See Proposed resolution section.

This is a good solution. But I think we should first merge one other issue, before applying this patch. Specifically talking about ✨ Use Drupal.dialog call instead of jQuery dialog RTBC in that issue @DeaOm didn't just replace the jQuery dialog with Drupal dialog but also refactored the code to use vanilla JS, it would be good to fully move away from jQuery.

And when that is merged refactor your code to also use vanilla JS. And yeah I agree about adding more tests. So for now I'll switch this to needs work.

Using localStorage makes sense to me to improve the cross tab handling of this module. What still is not working for me is the "refresh_only" setting.
Scenario:
- Configuration: timeout = 60 seconds, disable "Enforce auto logout on admin pages" (this forces the "refresh only" mode on admin pages).
- Open the homepage in a new tab - this is a front end page.
- Open a node edit form in a new tab - this is an admin page and should be set up to be "refresh only".
- Stay on the node edit form tab and do not move your mouse for 1 - 2 minutes.
- BUG: You are logged out on the tab with the front end homepage. The front-end homepage tab has it's JS settings configured to NOT be "refresh only" so it eventually times out.

Note with the 3395581 patch : If you are active on the node edit tab (move cursor, etc), then this works as expected and you remain logged in.

It seems like the new activity tracking (1.4+) does not properly consider the "refresh only" mode to keep you logged in.

follow up to my post #5:
I event attempted with activity on the node edit tab, and I still get logged out.

- Configuration: timeout = 120 seconds, disable "Enforce auto logout on admin pages" (this forces the "refresh only" mode on admin pages).
- Open the homepage in a new tab - this is a front end page.
- Open a node edit form in a new tab - this is an admin page and should be set up to be "refresh only".
- Stay on the node edit form tab and do something on the page for 3 minutes - move your mouse around, click into fields, enter content in CKEditor, etc.
- BUG: You are logged out on the tab with the front end homepage.

As there has been a update already and the patch made by @andersmosshall was not applying anymore I've rerolled the patch.

We would still have to wait for the other issue to land, but for now this will work for people who want to update to 1.5

While working with the patch applied we have noticed the following:

1. The popup does not appear on the admin theme.
2. The problem also occurs if you work on 2 Chrome windows. As soon as you have 2 windows open, you will only receive a notification in on of the windows and not the other, and you are logged out in the background.

Maybe we should look into JS SharedWorker for this?

We are also facing the same issue after upgrading to 2.0.0

Any suggestions?

Thanks for this, I've merged patch 7 into #3469258-24: Multiple dialogs open / have to click multiple times →
where I've added a description of the fix.

When the user does not select the 'Enforce auto logout on admin pages' option and leaves a window open on a non-configuration page, the system continues counting the time and logs out, even if the user is working on a configuration page in another window. To prevent this, I added this part to the code

 if (localSettings.refresh_only) {
        // On pages where user shouldn't be logged out, don't set the timer.
        localStorage.setItem('autologout_page_activity', 'true');
        t = setTimeout(keepAlive, localSettings.timeout);

which keeps the session active at all times while the user is on an administrative page.

The patch in #3395581-13 works but has two main issues:

Multiple Tabs: If the user has several tabs/windows open, the dialog may appear in an inactive tab while the last active tab isn't focused. This can cause confusion.

Switching Tabs: When switching tabs, the confirmLogout timer is triggered in the inactive tab, while the dialog appears in the active one. This creates inconsistent behavior.

Fixes:
document.hasFocus() is used to ensure dialogs only appear in focused tabs.
blur event clears the paddingTimer and destroys dialogs for inactive tabs.

Patch below may improve multi-tab handling.

I've been working with the patch from #15, the only thing i've noticed if you are browsing other sites it won't give you any warning at all. The rest seems to be working fine.

@arantxio

There is truth in your words, indeed. After more detailed testing, I concluded that the previous implementation of destroying the dialog if the page is inactive is a bad idea.

Reason for this modification:

Steps to Reproduce (STR):

1. Set Timeout padding to, for example, 45 seconds.
2. Set Timeout value in seconds to, for example, 120 seconds.
3. Open two tabs and remain inactive in both simultaneously.
4. Wait until the notification appears in both tabs.
5. In one of the tabs, click "Yes" to extend the session.
6. Monitor the other tab where the popup is still present. After 45 seconds, the user will be logged out, even though they were active in the other tab.

Cause:

The logout method is triggered if the user does not interact with the dialog. The logout, in turn, sends a request to the /autologout_ajax_logout or /autologout_alt_logout route, which ignores the last activity and logs the user out.

Solution:

1. Remove autologout_page_activity from localStorage according to the Timeout padding instead of after 30 seconds. I implemented this variant (issue fork).
2. Add a check in the altLogout/ajaxLogout route method, referencing the autologout_last value from the session. - This variant more complex

Made a few small changes (described above), can you use the patch or fork branch.

@arantxio
I'm not quite sure if I understood, '...i've noticed if you are browsing other sites it won't give you any warning at all...'.
What exactly did you mean (or expect) in this case (alert, Drupal message ...) ? Perhaps I misunderstood you.

I'm having an issue getting the patch in #19 to apply to the dev branch. Am I missing something? Does another patch need applied before this one?

@natefollmer I will take a look over the next few days. It is because the patch has some conflicts.

Thanks @usingsession!

@natefollmer I fixed the patch

Patch in #25 fixed our issue of getting logged out when having multiple windows open. Seems to be working great.

@natefollmer Thank you for the update. I’ve tested the patch in my environment, and I’m not encountering the mentioned JS error when clicking 'Yes' to keep the session active. Let me know if there's anything specific (role, autologout settings et.)

I wasn't able to track down exactly what was causing it. I just made a patch to comment out that line for my needs. It still seems to work without logging the time in the cookie. I believe that's a part of functionality we aren't using though, so I didn't want to upload the patch that would break something else :)

Edit: I can see the cookie in Chrome, but the JS cannot read/write to it. I suspect it's something in our set up.