core icon indicating copy to clipboard operation
core copied to clipboard
verified publisher icon opnsense

Redirect to login screen in all open browser tabs when session of WebGUI becomes invalid

Open Monviech opened this issue 1 year ago • 3 comments

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

  • [x] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
  • [x] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Is your feature request related to a problem? Please describe.

  • Open a Browser
  • Log in, go to /ui/core/dashboard or any other page (but dashboard shows it clearer)
  • Open another browser tab, go to "Lobby/Logout"
  • You get logged out in that tab, but the /ui/core/dashboard in the other tab remains open.
  • The CSRF Token is now invalid and all widgets fail to load while the dashboard (or any other site) remains open. All user interaction that depends on the API fail until a refresh and a log in.

Describe the solution you like

When the session of a user becomes invalid, there should be a forced refresh or some other mechanism to redirect them back to the login screen, in all Browser Tabs the user has open.

Describe alternatives you considered

Leaving it as it is since its not that big of a deal, it can just be confusing when it happens. Maybe its more obvious when people want to run the Dashboard on a big screen for long periods of times and suddenly it starts to fail. A refresh reveals the session has become invalid.

Monviech avatar Jul 30 '24 17:07 Monviech

We might think of a generic solution by trapping requests, but there will be downsides of redirecting to the login page automatically as well. So far this hasn't been a huge issue, but it's good to keep a ticket open to discuss options.

AdSchellevis avatar Jul 30 '24 19:07 AdSchellevis

I don't have experience how these things usually work.

But I imagine some kind of watchdog. It will try to reach an API every minute or so that is always accessable for any user, and when that fails it retries a few times before it catches the error and shows a bootstrap dialog.

"The Login session has expired." With a button that will refresh the current page when pressed, and a button to cancel the dialog. (So there is no forceful redirect.)

Monviech avatar Jul 31 '24 06:07 Monviech

poll works indeed, but creates a constant load, using the requests being fired is likely also an option, a bit like how error handlers currently work (ajaxError, which is just a hook inside jQuery to trap all ajax events fired using jQuery):

https://github.com/opnsense/core/blob/d2ef070687d1a4077a818211db4ffd6a5eab69f6/src/opnsense/mvc/app/views/layouts/default.volt#L52-L67

The polishing part is likely the annoying bit here, I expect quite some edge cases, which makes this a bit less high on my priority list.

AdSchellevis avatar Jul 31 '24 06:07 AdSchellevis

This has the potential to introduce new side effects and edge cases and in the end does not offer enough benefit for the amount of work and support this can result in.

Monviech avatar Oct 28 '24 09:10 Monviech