Better detection of "cookies deleted" in the application

(Sam Saffron) #1

Occasionally users may delete all cookies or in self hosted situations (which do not have auth token set via env) junk redis.

When this happens behaviour is kind of odd.

It looks like you are logged in:


If you are browsing a secure topic, you only see placeholders:

Depending on the site you are on (requires login or not) you will start seeing lots of 302s or 403s


If we detect a user is somehow no longer logged in, we should open a modal saying “looks like you were logged out would you like to refresh” or something along those lines.

We can solve this very cleanly, by:

  1. Adding a custom HTTP header: DISCOURSE_LOGGED_IN: true to all Ajax calls we make (based on what the client thinks.

  2. Adding a custom HTTP header to responses from the server when there is a conflict between server and client state: DISCOURSE_LOGGED_OUT: true

Then client can easily tell that it was logged out and raise the screen and if anyone anywhere has issues with status codes (due to live permission changes and the like) we will not confuse it with the “logged out” situation.

Discourse Version 2.0
Cannot middle-click or control-click on embedded topics to open in new tab
Internal Server Error after User is logged out by Admin
(Felix Freiberger) #3

Isn’t this a duplicate and proposed solution to… gasp… my first topic on Meta? :scream:

Thanks for looking into this :sun_with_face:

Errors after missing a logout notification
(Sam Saffron) #4

Completed per:

Pretty bullet proof after this change.

(Felix Freiberger) #5

Wohoo, wonderful! Thank you :cherry_blossom:

(Sorry to spam you, but a :heart: simply wasn’t enough :wink:)

(Sam Saffron) #6

This topic was automatically closed after 25 hours. New replies are no longer allowed.