You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When a user logs in to the Control Panel, their session length is 1 hour. When this expires, they are redirected to a page that states there is a problem with their session, with a link to "reset your session":
To Reproduce
Log in to control panel
Wait an hour....
Refresh your page
Expected Behaviour
This information is not accurate - there is no "problem" with the session, it has simply expired. Therefore as a minmum, the text on this page should be updated to more accurately reflect the issue e.g. "Your session has expired, please click here to log back in".
However, now that the MFA requirement was disabled in #4557 we may have the opportunity to now implement a session refresh mechanism, so that we log the user back in programatically, removing the need for the redirect. We should be able to limit this "session refresh" for to a set time period (e.g. 12 hours) before we then redirect the user, and prompt them to manually log back in.
Describe the bug.
When a user logs in to the Control Panel, their session length is 1 hour. When this expires, they are redirected to a page that states there is a problem with their session, with a link to "reset your session":
![image](https://private-user-images.githubusercontent.com/15347726/341340482-7dcf2b83-e685-43b8-9fe5-9ee56c2bf400.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTk1NDI3NTUsIm5iZiI6MTcxOTU0MjQ1NSwicGF0aCI6Ii8xNTM0NzcyNi8zNDEzNDA0ODItN2RjZjJiODMtZTY4NS00M2I4LTlmZTUtOWVlNTZjMmJmNDAwLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA2MjglMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNjI4VDAyNDA1NVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTc5NTRjYTkwNjY3MjVkNDEwMTAzNmE2MzA5NDc2NDBlNWYyODkyYjE4NTkxNWYyNDAxY2ZjNWQzZGUxYzcyNTMmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.M_Zh2udqtj09enPQikWz8BLuvuN-yVZRU44ANMhV4nU)
To Reproduce
Expected Behaviour
This information is not accurate - there is no "problem" with the session, it has simply expired. Therefore as a minmum, the text on this page should be updated to more accurately reflect the issue e.g. "Your session has expired, please click here to log back in".
However, now that the MFA requirement was disabled in #4557 we may have the opportunity to now implement a session refresh mechanism, so that we log the user back in programatically, removing the need for the redirect. We should be able to limit this "session refresh" for to a set time period (e.g. 12 hours) before we then redirect the user, and prompt them to manually log back in.
Additional context
Some further reading:
https://auth0.com/docs/secure/tokens/refresh-tokens
https://auth0.com/blog/balance-user-experience-and-security-to-retain-customers/
The text was updated successfully, but these errors were encountered: