@KarthikRaja1388 opened this Issue on July 29th 2019

Issue: When the session is timing out, users are getting re-directed to login page "You can't access this resource as it requires view access for the website id =1", which gives an impression that the system is not working properly, as for as user is concern they are logged in. No information regarding timeout is provided to the user.

session_timeout

Suggestion: It would be clear for the user why they are not able to access the dashboard/report, if the information about session timeout is displayed (ex: User Session timed out due to inactivity for over 30min"). If possible, if we could alert the user before 10 or 5min of session expiry, so that the users can go back to Matomo and keep the session active if they wanted to.

@mattab commented on August 8th 2019 Member

at the minimum it would be important to show a useful message above the login form like Your session timed out due to inactivity for over 30min. Please login again. (or better)

reckon we don't need to alert people to keep the session active, or we could do this later.

@tsteur commented on August 18th 2019 Member

Could say You may have been logged out due to inactivity. Please log in again.

As we can't know whether someone was last logged in 30 min ago, or 10 days ago .... and we can't know if user had checked remember me last etc.

@KarthikRaja1388 commented on August 18th 2019

I would suggest a message like this "Session expired, due to inactivity for more than 30 min. Please log in again".

@tsteur commented on August 18th 2019 Member

We cannot know if the user was logged out due to inactivity for 30 min or not @KarthikRaja1388

@KarthikRaja1388 commented on August 18th 2019

@tsteur On what basis, do we expire the session may I ask?

@tsteur commented on August 18th 2019 Member

It depends whether user clicked before "remember me" or not...

We could probably persist first whether user clicked "remember me or not"... but then we would also need to persist "expiration date" of session. This information is currently lost as soon as the user logs out. And we can't know whether user had last remember me active or when the user was last active. It starts even getting bit more complicated once you realise a user may be able to logged into multiple devices and we would need to store a new session cookie to detect a specific device etc. My comment is likely written bit confusing but it's just all a bit complicated.

If we could just show a more generic message we make a multi day job only a few minutes job.

Powered by GitHub Issue Mirror