Task #97059
open
Removal of re-login popup functionality
0%
Description
The re-login popup dialog has conceptual drawbacks, and I opt for removing it as its usefulness has been decreased in the past years.
The re-login works as this: An AJAX request is done every 60 seconds. If the session timeout is less than 60 seconds, then a popup is shown to re-enter their credentials to stay logged in. This is useful when writing longer texts and unsaved changes should be kept.
However, the following issues exist:- When using an external login provider (OAuth, SSO, OpenID connect) is used, the re-login concept does not work (that's why there is a global ! option to disable the popup)
- When working with multiple tabs, and the editor jumps back to the tab when the session timeout is over, the new session does not keep the existing values either
- Custom login providers cannot be used in conjunction with this dialog
- The AJAX polling of 60 seconds is rather a bummer, as we should rather use "push" functionality when the login is about to expire
- Various places in TYPO3 Backend code try to allow such "AJAX polling" calls and build up the form without any useful rendering of such a dialog
In the past years, we also mitigated this issue by setting the session lifetime of backend users from 2h to 8h (= 1 workday) so editors should not see this dialog that often anymore.
Updated by
Updated by Andreas Kienast over 2 years ago
Another issue that's unsolved to my knowledge: if an admin is impersonating another backend user and that session expires, the dialog asks for the password of the impersonated(!) backend user.
Updated by Benni Mack over 2 years ago
- Related to Bug #93662: Login refresh asks for password of "switched to" user added
Updated by Gerrit Hübbers almost 2 years ago
that's why there is a global ! option to disable the popup
I read this statement that versions 11 and older already have an option to disable the popup. Which option is that?
Updated by Benni Mack almost 2 years ago
Gerrit Hübbers wrote in #note-5:
that's why there is a global ! option to disable the popup
I read this statement that versions 11 and older already have an option to disable the popup. Which option is that?
The option is called $TYPO3_CONF_VARS[BE][showRefreshLoginPopup]
Updated by Riccardo De Contardi over 1 year ago
- Related to Bug #91376: TYPO3 backend asks for password of SU user when SU backend session has timed out added
Updated by Garvin Hicking 4 months ago
- Related to Bug #101572: Uncaught TypeError in class SystemInformationMenu while backend login renewal is pending added
Updated by Garvin Hicking 4 months ago
- Related to Bug #99397: Refresh login does not take MFA into account added
Updated by Torben Hansen 3 months ago
Fully agree with the task. Lets remove the functionality in v14