Wildbook icon indicating copy to clipboard operation
Wildbook copied to clipboard
verified publisher icon WildMeOrg

JSP/JavaScript Modal Timeout Inaccurately Uses Timer Rather than Session Check

Open JasonWildMe opened this issue 1 year ago • 6 comments

Expected Behavior The timeout model popup (JSP/Javascript version) should only warn users of an upcoming/past Session timeout by checking the actual server-side Session timer, which can be affected by any user request, esepcially those coming from multi-tab browsing by the user.

Current Behavior The current JSP/Javascript model uses a simple countdown timer, which means any session extension coming from a different tab is ignored. In multi-tab use of Wildbook, this means that multiple tabs can run through the timer and incorrectly report a session timeout (forcing a lot of user clicking to clear) while the session is still quite active. Using a timer also forces the use of an unncessary configuration value of commonConfiguration.properties of sessionCountdownTime. This can be removed as it has no real effect on the actual remaining session time or the actual value defined in web.xml.

Testing Notes Easiest way to test is to keep one tab active with user requests while other tabs remainin inactive. The goal is to ensure those other tabs never display a session timeout warning unless the actual server-side Session is approaching timeout or has timed out.

JasonWildMe avatar Nov 02 '24 19:11 JasonWildMe

React needs to use server-side session timer too.

erinz2020 avatar Nov 05 '24 20:11 erinz2020

i will investigate whether or not tomcat can send expiration info as a header.

naknomum avatar Feb 05 '25 18:02 naknomum

proposed header from backend: seconds left in session i will investigate how difficult this is to add to as many endpoints/tomcat calls as possible.

naknomum avatar Mar 24 '25 20:03 naknomum

Here's the support post that calls out timeout windows not showing up in react pages, only in jsp ones: https://community.wildme.org/t/session-timeout-no-longer-working-in-wild-north/3275

goddesswarship avatar Mar 25 '25 17:03 goddesswarship

Removed from 10.7 after research and discussion. (naknomum to add a few notes from discussion below.)

vkirkl avatar Mar 26 '25 14:03 vkirkl

there are some issues to be worked out, some more complex than others, hence the decision to dedicate more time to this in a future release. among considerations:

  • there appears to be no way, in tomcat/java, to easily query for the time remaining in the user's current session without extending the session to its full expiration - this is the main blocker as it effectively would extend the session indefinitely if we query for status
  • there is also (based on above) issues with what the react code is currently doing -- polling every minute to see if the user is logged in. as this code was written prior to the discovery of the item above, it was not known that this was also likely extending the session indefinitely (when a react page is open/active)
  • need choose a frontend method for storing session state, once we can derive it, across tabs -- likely using localStorage or a cookie

naknomum avatar Mar 26 '25 16:03 naknomum