-
Notifications
You must be signed in to change notification settings - Fork 687
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Logged-out user is shown "You were logged out due to inactivity" and redirected to index page #5741
Comments
Also, clicking the "Get Started" button doesn't do anything after you are logged out and redirected to the index page. Steps to Reproduce
Expected BehaviorFor the "/generate" page to show up. Actual BehaviorYou remain on the index page. |
(Cannot reproduce either issue in the Docker env, FWIW, neither on |
I updated the STR to say to wait for the timeout period of 2 minutes |
And this doesn't happen on develop - just rc4 |
Potentially related: #5716. |
One more related STR, which is actually copied from the 1.7.0 Test Plan to make sure that the session expiration message is only displayed when signed in: Steps to Reproduce
Expected BehaviorNo session expiry error message is displayed Actual BehaviorSession expiry error message is displayed |
Thanks for opening @creviera , I can reproduce the behavior you describe here. As you mentioned in #5716 , this appears to be the same underlying issue. In this case, the session expiry will always redirect you to the index page and not the login page: securedrop/securedrop/source_app/__init__.py Lines 139 to 141 in 4df72e7
Confirmed, I also see this, in this case, show_expiration_message is set to false. Given the several edge cases identified here and in #5716, while I don't think the issues are severe enough to address in time for the 1.7.0 release, they do highlight the need take a broader look at session management as proposed in #5692 |
Yep, thanks @emkll for the code reference. The fix should ensure that we only show the "You were logged out due to inactivity" popup and redirect to the index page on user action when we actually log a user out. If the user is already logged out as in the STRs above, we should not show them this message or redirect user action. It would also be an improvement to redirect immediately when the user session expires. |
I just confirmed that this is happening on 1.6.0 so I will update the Issue title and description. |
Relatively low priority edge case, so parking in near-term backlog for now. |
Thanks, closing accordingly, we'll test session management extensively during QA as well. |
Description
Clicking login button when you are logged out doesn't take you to the login page.
Steps to Reproduce
apachectl restart
Expected Behavior
For the "/login" page to show up.
Actual Behavior
You are sent to the index page and have to click on the log-in button again.
The text was updated successfully, but these errors were encountered: