Contrib.social

Autologout can log out out from other tabs/windows

Open on Drupal.org β†’
Created on 20 October 2023, 9 months ago
Updated 3 June 2024, 29 days ago

Problem/Motivation

When working in multiple tabs, inactivity will trigger logout in one tab even while appearing active in another.

Steps to reproduce

  1. Enable module as usual, and configure to logout after 60 seconds
  2. Open multiple browser tabs
  3. Keep you active in one tab (e.g. move the cursor in the document area of one tab)

Exected bahavior
As long as I am active in one tab I should be considered active on the site and not get logged out.

Actual behavior:
After some time the autologout modal will appear in one or many of the other tabs and will log you out.

Proposed resolution

Some intial work has been done in https://www.drupal.org/project/autologout/issues/3214958 πŸ› Autologout triggered in background tab, no indication in other open tabs Fixed that is closed and merged to dev branch. However since uactivity i set locally in each instance of the script (each tab) means that an inactive tab can send activity false to server side wich force set the time left to zero no matter if other tabs has been active and called the set timer ajax callback.(src/Controller/AutologoutController.php line 123)

Just removing the uactivity check on server side does not feel like a good option because there migth be a timing issue from when a tab is locally set as active until the script is posting the set timer ajax callback, between which an inactive tab might call and get a timer left zero response.

I have a proposed solution, setting an entry in local storage about user activity making it available in each tabs/windows for the site.
(A bonus add is also a minor improvment of the activity trigger adding also 'touchmove' eventlistener instead of only 'mousemove' in order to keep consistent behavior on mobile as well as desktop behavior).

Remaining tasks

  • Create sufficient automatic test I assume

User interface changes

API changes

Data model changes

πŸ› Bug report
Status

Needs work

Version

1.0

Component

Code

Created by

πŸ‡ΈπŸ‡ͺSweden andersmosshall

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @andersmosshall
  • Comment 9 months ago β†’
    πŸ‡ΈπŸ‡ͺSweden andersmosshall

    A proposed solution patch to this issue. See Proposed resolution section.

  • First commit to issue fork.
  • Status changed to Needs work 8 months ago
  • Comment 8 months ago β†’
    admirlju

    This is a good solution. But I think we should first merge one other issue, before applying this patch. Specifically talking about ✨ Use Drupal.dialog call instead of jQuery dialog RTBC in that issue @DeaOm didn't just replace the jQuery dialog with Drupal dialog but also refactored the code to use vanilla JS, it would be good to fully move away from jQuery.

    And when that is merged refactor your code to also use vanilla JS. And yeah I agree about adding more tests. So for now I'll switch this to needs work.

  • Comment 3 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States recrit

    Using localStorage makes sense to me to improve the cross tab handling of this module. What still is not working for me is the "refresh_only" setting.
    Scenario:
    - Configuration: timeout = 60 seconds, disable "Enforce auto logout on admin pages" (this forces the "refresh only" mode on admin pages).
    - Open the homepage in a new tab - this is a front end page.
    - Open a node edit form in a new tab - this is an admin page and should be set up to be "refresh only".
    - Stay on the node edit form tab and do not move your mouse for 1 - 2 minutes.
    - BUG: You are logged out on the tab with the front end homepage. The front-end homepage tab has it's JS settings configured to NOT be "refresh only" so it eventually times out.

    Note with the 3395581 patch : If you are active on the node edit tab (move cursor, etc), then this works as expected and you remain logged in.

    It seems like the new activity tracking (1.4+) does not properly consider the "refresh only" mode to keep you logged in.

  • Comment 3 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States recrit

    follow up to my post #5:
    I event attempted with activity on the node edit tab, and I still get logged out.

    - Configuration: timeout = 120 seconds, disable "Enforce auto logout on admin pages" (this forces the "refresh only" mode on admin pages).
    - Open the homepage in a new tab - this is a front end page.
    - Open a node edit form in a new tab - this is an admin page and should be set up to be "refresh only".
    - Stay on the node edit form tab and do something on the page for 3 minutes - move your mouse around, click into fields, enter content in CKEditor, etc.
    - BUG: You are logged out on the tab with the front end homepage.

  • Comment 29 days ago β†’
    πŸ‡³πŸ‡±Netherlands Arantxio Dordrecht

    As there has been a update already and the patch made by @andersmosshall was not applying anymore I've rerolled the patch.

    We would still have to wait for the other issue to land, but for now this will work for people who want to update to 1.5

contrib.social Blog FAQ Discussions
Production build 0.69.0 2024