Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[14.0][FIX] auth_session_timeout: session does not expire on page refresh #535

Merged
merged 2 commits into from
Feb 16, 2024
Merged

[14.0][FIX] auth_session_timeout: session does not expire on page refresh #535

merged 2 commits into from
Feb 16, 2024

Conversation

thomaspaulb
Copy link
Contributor

We ran into a problem whereby:

  • Timeout is set to 5 seconds
  • Regular RPC calls cause a session timeout
  • Page refresh does not trigger session timeout

This is a regression since #269, because when page is refreshed with F5, it calls /web, which is a public route, so it does not trigger the session check but it does trigger session save, which updates the file mtime. When a second HTTP call makes the check takes place, the session is seen as not expired, and this can repeat indefinitely.

An earlier incarnation of this bug made us come up with this patch - before this patch, it could happen that request.env.user was not filled so the session timeout check was not done, but the session was saved, so the same conundrum could happen.

This PR contains:

  • A forward port of the latter patch
  • A fix for the new problem, in which we don't check for auth_method != 'user', but for the session uid to be the public user. If it's the public user, the session won't expire.

@dreispt @lmignon @sbidoul

gfcapalbo and others added 2 commits July 2, 2023 17:20
@gfcapalbo @thomaspaulb
[13.0][IMP] timeout check triggered on session uid
4367433
@thomaspaulb
[FIX] auth_session_timeout: problem whereby page is refreshed with F5…
cbdc93d 
…, but /web is a public route, so it does not trigger the session check but it does trigger session save, so the file mtime is updated before the second HTTP call makes the check takes place, and session is not expired
This was referenced Jul 2, 2023
Closed
Merged
@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 5, 2023

There hasn't been any activity on this pull request in the past 4 months, so it has been marked as stale and it will be closed automatically if no further activity occurs in the next 30 days.
If you want this PR to never become stale, please ask a PSC member to apply the "no stale" label.

@github-actions github-actions bot added the stale PR/Issue without recent activity, it'll be soon closed automatically. label Nov 5, 2023
@dreispt dreispt removed the stale PR/Issue without recent activity, it'll be soon closed automatically. label Nov 6, 2023
dreispt
dreispt approved these changes Nov 6, 2023
View reviewed changes
Copy link
Member

@dreispt dreispt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@thomaspaulb
Copy link
Contributor Author

Fasttracking since it's already part of #507 and merged there as well

/ocabot merge patch

@OCA-git-bot
Copy link
Contributor

This PR looks fantastic, let's merge it!
Prepared branch 14.0-ocabot-merge-pr-535-by-thomaspaulb-bump-patch, awaiting test results.

@OCA-git-bot OCA-git-bot merged commit f5ad46c into OCA:14.0 Feb 16, 2024
2 checks passed
@OCA-git-bot
Copy link
Contributor

Congratulations, your PR was merged at a0ff28d. Thanks a lot for contributing to OCA. ❤️

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dreispt dreispt dreispt approved these changes

Assignees
No one assigned
Labels
merged 🎉
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@thomaspaulb @OCA-git-bot @dreispt @gfcapalbo