Bug #96978
closed
Backend "Stay logged in" button does refresh the login-session
100%
Description
Steps to reproduce:
1. Set $GLOBALS['TYPO3_CONF_VARS']['BE']['sessionTimeout'] to 70.
2. Login via /typo3/
3. Wait 60 seconds for the login-refresh-popup to occur
4. Click the "Stay logged in" button
5a Wait 10 seconds and click on a module => A redirect to the login screen will appear
5b Wait another 60 seconds => A password-box will appear because the session has not been updated.
Description:
For unknown reasons the /ajax/login/refresh
route has never been used (all the way back to v6),
to request a session timeout update.
Instead the route /ajax/login/timedout, without the
skipSessionUpdate=1 parameter has been used to
refresh an existing session.
With the introducting of configurable loute parameters
in #81409 this inconsitency wasn't noticed and the
skipSessionUpdate parameter has been moved into the
route-configuration, which meant /ajax/login/timedout was
always called with skipSessionUpdate=1,
even as result of the "Stay logged in" button, where
a session update was intended.
Use the dedicated /ajax/login/refresh route
in order to actually refresh the session.
Updated by 
Updated by 
Updated by