What happened?
Wild North is no longer logging me out after the set period of inactivity. The session timeout popup warning is only displaying on the .jsp pages, not the React page.
When I click on the ‘close’ button on the timeout popup, I am effectively still logged in and remain logged in as long as I leave a Wild North tab open. I am only logged out once I physically click to log out from the normal login/logout button at the top right of the screen.
If I click on the ‘log in’ button on the timeout popup, I get automatically logged in; expected behaviour is to be routed to the login page to enter my credentials to then click to log back in again.
In ACW & Whiskerbook, the inactivity logout and session timeout popup are still working as expected.
What did you expect to happen?
For the system to automatically log me out after the set time of inactivity.
For the session timeout popup to appear on the new React pages as for the old .jsp pages.
To not be logged in automatically once I click on the “log in” button in the session timeout popup.
To not remain logged in indefinitely if I select ‘close’ in the session timeout popup.
What are some steps we could take to reproduce the issue?
Log in to Wild North and leave the tab open and inactive until the timeout popup should appear. Then wait for the normal session timeout period to expire. Refresh the tab and / or open a new tab in Wild North - you will still be logged in. Repeat other steps as described above re: clicking on “close” vs “log in” in the session timeout popup.
I’ve noticed this is a few Wildbooks, but I don’t mind it because it saves me from having to retype my password through the day through all of products.
I know the timeout warnings were added because users weren’t notified they were already logged out before submitting encounters. The inverse doesn’t seem to create any obvious friction for users, but I’ll write a ticket for it for the sake of consistency between Wildbooks.
To be clear, the key problem is the fact that the system no longer logs users out automatically, leaving the user logged in indefinitely, which creates a huge security hole. The issue needs to be prioritized accordingly.
There is no guarantee that a JSP modal will be implemented in React. Any UI moved to React will need a new, distinct React version. There may not be 1-for-1 parity in function or release date as things migrate.
There does appear to be a line in the new Login.java code, which supports React-based login, that extends the session beyond the global configuration value in web.xml. The investigation and potential fix of that is being tracked in Issue 690 linked above.
Issue 699 tracks the “Login” button needed switch to /react/login/ from from welcome.jsp. Fix in place and awaiting PR review and assignment to a release.
