Doesn't support AJAX page accesses correctly when browser refresh is enabled
| Project: | Automated Logout |
| Version: | 6.x-1.5 |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | active |
When using the autologout feature with timeout enabled, it doesn't work properly when using AJAX on a page. My AJAX requests hit the drupal server, going through the menu_hook URLs, so they are properly registered as "activity", and therefore reset the timeout (verified by testing to be sure). So that part works perfectly. The part that doesn't work is when I turn on the automatic browser refresh. This is because the meta tag used for the refresh is only set once, on page load, not dynamically whenever a server URL is accessed. So with AJAX calls, which by definition don't cause a page refresh, having the meta refresh hard coded upon initial page load only, doesn't work at all. With AJAX a huge part of web applications, I see this as a feature that needs to be supported and is very important.
#1
So I decided to solve this problem myself, but it is a fairly big functional shift in the design of the entire module. I am wondering if I should create a new separate module to maintain it, or if those of you as committers on the module would be interested in converting the module to this new method.
The current Automatic Logout has several functions that it doesn't implement, and would be very hard to implement while sticking with the meta-refresh based logout scheme.
1. The page will meta-refresh even when AJAX calls are made through the AJAX module
2. You have no ability to record "activity" on something other than a server access (like a mouseover or jQuery AJAX function call)
3. There is no popup to give the user a pre-timeout warning and a chance to click OK to continue their session
I have designed the module so that it supports all of these. I started with your code as my base.
I scrapped meta-refresh and have implemented the timeout logic purely in javascript. The automatic logout is done by calling a URL from javascript that is created in the menu_hook from the module. This does the logout and redirect to a page with a message like you are doing in the 3.x branch.
You can register "activity" by calling a javascript function from within your application where you see fit. In a onmouseover event, in a onsubmit event, in an AJAX setup function.
It can hook into the AJAX module by mass assigning the function call to all form elements. I tested this, it works, may not be the best way, but I bet it will work fine for most.
I scrapped the Javascript timer, that seems like the actual purpose for that is to avoid a surprise automatic logout, but since I have implemented a pre-timeout popup with a chance to continue progress, I think its completely unnecessary. I don't see any professional sites with anything like that on them. But most sites do have an inactivity timeout popup. The popup is a jQuery Dialog so is you want to use popups, there is a dependency on the jquery_ui module.
I based the code on the autologout module code, so the admin settings for enabling by role are all still there. Additionally, I added a configuration option for how long before the timeout will happen that the popup occurs.
Anyways, I'm really asking to the module maintainers, What do I do next? Do you want to take a look at the code and decide if you are interested in integrating anything? I'd really like your feedback on if I should just start a new module or not. I'd rather not attach the module to this random issue post because I'd like to get it somewhere formally first to avoid having old versions of a module around to confuse people. Can I just email/message it to you guys?
Thanks,
Jeremy Zerr
Zerrtech
#2
It's good to start an open dialog about the future of this module. There are/were three maintainers:
jrglasgow, jvandervort (ME), and AjK. AjK set me as owner, but I don't use it much.
The way I see it, the module needs to figure out if it is a convenience logout or an enforcer. Is it supposed to be helpful to the user to protect their content or helpful to the site to make sure that no one stays logged in too long for security reasons?
There is also javascript vs metarefresh... and other issues. Perhaps jrglasgow will wade in to the discussion.
#3
Plus there is the whole 3rd branch 'LITE' version which is following a different course.
#4
My client uses autologout to help keep his site content secured from unauthenticated users.
Anyway very interested in Jeremy's new code.
#5
@jeremy.zerr
It looks to me like you have some wonderful ideas.
I, for one, would like to see your version of the module. I think we should be able to incorporate many, if not all, of your changes. And I would prefer to do it now before I continue on with my effort to port the module to Drupal 7
#6
One option to get around the meta-refresh problem with AJAX calls would be to add a little to the code
$("meta[http-equiv=refresh]").attr("content", 99999);this would set the refresh to somthing like 27 hours when Javascript is available.
I don't believe we should rely just on Javascript for the refresh is the users expects the refresh, we should have a contingency in case the user might have sensitive data on the screen and Javascript turned off.
#7
Does that code work well? I did some initial tests, trying to do the same thing via javascript (but not using jQuery), and it did nothing. That's why I ended up going to the next option, which was to scrap metarefresh for just a javascript refresh. Seemed like because it was in the header, it wasn't interpreted again even after changing the value via code, so it updated the DOM, but didn't appear to actually change the refresh that happened.
I understand the point about wanting to not rely on javascript, I've had my own concerns about that. I guess maybe a hybrid method where in the configuration for the module, there is also an option for a non-javascript version that uses the meta-refresh, simple checkbox, that actually shouldn't be too bad. It seems like a very difficult problem to be able to determine whether a user has javascript disabled and configure the module automatically, not sure if there is something passed around in the drupal API to know that inside a module. That would be slick.
Anyways, I'll get my code dressed up and I'll zip it up and post it here if that sounds OK. I just know there are already lots of different releases of this module and wasn't sure I should muddy the waters even more.
#8
for javascript detection, do you mean: Drupal.jsEnabled?
EDIT: Nevermind, I found that isn't in php.
Perhaps using js + metarefresh would be ok.
#9
Attached is the code. Its set up for a new module named autologoutjs. Remember to install jquery_ui if you want to see the popup. Also, the popup doesn't look the best becuase I had problems with IE6. Anyways, take a look at lets figure out where to go.
Regarding using meta-refresh when javascript isn't enabled, I saw someone use a noscript metarefresh that might be great if it actually works. I'll test a little bit and see what I find.
Jeremy - Zerrtech