Fixed Unnoticed session timeout can lead to lost replies

AlexT

AlexT

Well-known member
Scenario:
  1. User is logged in
  2. User stays idle until his session expires. He doesn't notice it's expired since there is no notice. Meanwhile he is still looking at a particular thread.
  3. User makes a post via quick reply. Upon hitting the post reply button, a modal window pops open ("The following error occurred: You must be logged-in to do that.") with the login form.
  4. Upon filling out the login form in the modal window, the user is returned to the previous thread. But the reply text is lost.
(related: in step 2, xF is continuously trying to save a draft, although it's naturally returned with a 403 error).
 
Last edited:
A proposal: save drafts to local storage every time you attempt to save to the server (as a fallback if no draft is found in the database) along with a timestamp, and have some cleanup JS code to remove old entries so they don't pile up.

That way when they're returned to the previous thread you could load everything from there. Also helps if internet connection is broken, latest drafts can still be recovered if they have a newer timestamp that the database draft.
 
I know what I proposed is a bit of a late change but it seems like some client-side redundancy would come in handy here and in a few other cases. I was a bit surprised that drafts were server side at first, though I guess that means if all is well you can resume a draft from another computer before it expires.
 
So I'm going to tag this as a future fix, though I have made (rather, am in the process of finishing) some changes that do maintain the post data through the login form. This makes the solution more general.

However, there are some situations where this falls over -- technically, depending on what's being triggered, even GET based things may not redirect to exactly where you expect (though this isn't as significant).

These changes are likely too significant (or too spread out) to make at this stage of 1.2.
 
Hi everyone :)

AlexT said:
  1. User is logged in
  2. User stays idle until his session expires. He doesn't notice it's expired since there is no notice. Meanwhile he is still looking at a particular thread.
  3. User makes a post via quick reply. Upon hitting the post reply button, a modal window pops open ("The following error occurred: You must be logged-in to do that.") with the login form.
  4. Upon filling out the login form in the modal window, the user is returned to the previous thread. But the reply text is lost.
Click to expand...

Something similar just happened to me... but once I entered username & password, I was shown a page with the following error message:

Security error occurred. Please press back, refresh the page, and try again.
Click to expand...

And URL at the address bar was:

http://www.comunidadhosting.com/threads/crear-un-formulario-para-subir-archivos.5690/add-reply
Click to expand...
 
There are elements of XF2 that are currently not handling this exactly like XF1 (https://xenforo.com/community/threads/post-data-lost-when-session-expires.132528/), however XF2 does give you an indication if your session expires. When typing a reply, the draft saving system should ensure that this is triggered.

Similarly, there are approaches that change how a session is kept alive that wouldn't have triggered in XF1. (Plus staying logged in is now the default option.)

At this point, I'm going to consider this mostly resolved by changes in XF2's approaches.
 
Back
Top Bottom