Log out if session no longer exists #705
Comments
matthew-white
added a commit
that referenced
this issue
Jan 22, 2023
I don't think an admin would ever want to reset and invalidate their own password rather than changing their password. If they did invalidate their password, their sessions would be deleted, including their current session. That would lead to the issue described in #705.
matthew-white
added a commit
that referenced
this issue
Jan 24, 2023
I don't think an admin would ever want to reset and invalidate their own password rather than changing their password. If they did invalidate their password, their sessions would be deleted, including their current session. That would lead to the issue described in #705.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
There are a few ways that a user's session could be deleted or no longer exist before the session expires without the user logging out, none of them extremely likely. One example: restoring a backup will cause any sessions created after the backup was created to no longer exist.
Frontend automatically logs out before a session expires, but it doesn't account for the possibility that a session could stop existing before it expires. If that happens, then Frontend will continue sending requests, but it will show the resulting 401 errors. Instead, I think it'd be better for Frontend to log out immediately in that case. (Should it just log out whenever it receives a 401? Or maybe receiving a 401 should cause it to try to check the existence of the session?)
The text was updated successfully, but these errors were encountered: