devise icon indicating copy to clipboard operation
devise copied to clipboard
verified publisher icon heartcombo

Redirect to same page in case of session timeout

Open daniel-rikowski opened this issue 3 years ago • 0 comments

Environment

  • Ruby 3.1.2 (Win64)
  • Rails 7.0.4
  • Devise 4.8.1

Current behavior

When a session timeout occours the failure app performs a redirect. But unlike all other errors it redirects to the originally requested page instead of the sign-in page.

Here is the code which specifically uses the attempted url and only uses scope_url as fallback.

https://github.com/heartcombo/devise/blob/6d32d2447cc0f3739d9732246b5a5bde98d9e032/lib/devise/failure_app.rb#L115-L129

From my observations the flow looks like this:

  1. User is signed in and then does nothing until the session timeout is reached.
  2. User clicks on a link, lets say /home
  3. The Timeoutable module detects the session timeout and signs out the user.
  4. The failure app takes over, discovers the timeout and redirects to /home again
  5. Then it is up to the surrounding application to show an error message or perhaps redirect to the sign-in page.

But the auto-generated Devise initializer says otherwise:

https://github.com/heartcombo/devise/blob/8593801130f2df94a50863b5db535c272b00efe1/lib/generators/templates/devise.rb#L188-L191

"the user will be asked for credentials again" -> This is not the case, at least not in the current implementation.

Ironically there is an old Wiki article on how to achieve that exact behaviour: How To: Do not redirect to login page after session timeout https://github.com/heartcombo/devise/wiki/How-To:-Do-not-redirect-to-login-page-after-session-timeout

Expected behavior

I'm not quite sure...

On one hand the current behaviour is useful for pages which don't require a current user. There it makes sense to just redirect to the current page and - if desired - let some user-defined authorization framework handle the problem. On the other hand the same could be argued for other FailureApp cases: Just update the flash, redirect to the current page and cede all further redirection to the Rails application and some authorization framework.

At least the documentation should be fixed. The comment in the initializer template is plain wrong. Additionally the code comments for Devise::FailureApp and the wiki article give the wrong impression and might throw off new developers.

daniel-rikowski avatar Sep 10 '22 15:09 daniel-rikowski