Project

General

Profile

Actions

Task #97059

open

Removal of re-login popup functionality

Added by Benni Mack over 2 years ago. Updated about 2 months ago.

Status:
New
Priority:
Should have
Assignee:
-
Category:
Authentication
Target version:
-
Start date:
2022-02-28
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
12
PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

The re-login popup dialog has conceptual drawbacks, and I opt for removing it as its usefulness has been decreased in the past years.

The re-login works as this: An AJAX request is done every 60 seconds. If the session timeout is less than 60 seconds, then a popup is shown to re-enter their credentials to stay logged in. This is useful when writing longer texts and unsaved changes should be kept.

However, the following issues exist:
  • When using an external login provider (OAuth, SSO, OpenID connect) is used, the re-login concept does not work (that's why there is a global ! option to disable the popup)
  • When working with multiple tabs, and the editor jumps back to the tab when the session timeout is over, the new session does not keep the existing values either
  • Custom login providers cannot be used in conjunction with this dialog
  • The AJAX polling of 60 seconds is rather a bummer, as we should rather use "push" functionality when the login is about to expire
  • Various places in TYPO3 Backend code try to allow such "AJAX polling" calls and build up the form without any useful rendering of such a dialog

In the past years, we also mitigated this issue by setting the session lifetime of backend users from 2h to 8h (= 1 workday) so editors should not see this dialog that often anymore.


Related issues 4 (2 open2 closed)

Related to TYPO3 Core - Bug #93662: Login refresh asks for password of "switched to" userClosed2021-03-05

Actions
Related to TYPO3 Core - Bug #91376: TYPO3 backend asks for password of SU user when SU backend session has timed outClosed2020-05-13

Actions
Related to TYPO3 Core - Bug #101572: Uncaught TypeError in class SystemInformationMenu while backend login renewal is pendingNew2023-08-04

Actions
Related to TYPO3 Core - Bug #99397: Refresh login does not take MFA into accountNew2022-12-20

Actions
Actions #1

Updated by Markus Klein over 2 years ago

  • Description updated (diff)

I agree

Actions #2

Updated by Andreas Kienast over 2 years ago

Another issue that's unsolved to my knowledge: if an admin is impersonating another backend user and that session expires, the dialog asks for the password of the impersonated(!) backend user.

Actions #3

Updated by Markus Klein over 2 years ago

Yep Andy, that's #93662

Actions #4

Updated by Benni Mack over 2 years ago

  • Related to Bug #93662: Login refresh asks for password of "switched to" user added
Actions #5

Updated by Gerrit Hübbers almost 2 years ago

that's why there is a global ! option to disable the popup

I read this statement that versions 11 and older already have an option to disable the popup. Which option is that?

Actions #6

Updated by Benni Mack almost 2 years ago

Gerrit Hübbers wrote in #note-5:

that's why there is a global ! option to disable the popup

I read this statement that versions 11 and older already have an option to disable the popup. Which option is that?

The option is called $TYPO3_CONF_VARS[BE][showRefreshLoginPopup]

Actions #7

Updated by Riccardo De Contardi over 1 year ago

  • Related to Bug #91376: TYPO3 backend asks for password of SU user when SU backend session has timed out added
Actions #8

Updated by Garvin Hicking 2 months ago

  • Related to Bug #101572: Uncaught TypeError in class SystemInformationMenu while backend login renewal is pending added
Actions #9

Updated by Garvin Hicking 2 months ago

  • Related to Bug #99397: Refresh login does not take MFA into account added
Actions #10

Updated by Torben Hansen about 2 months ago

Fully agree with the task. Lets remove the functionality in v14

Actions

Also available in: Atom PDF