Better detection of "cookies deleted" in the application

Occasionally users may delete all cookies or in self hosted situations (which do not have auth token set via env) junk redis.

When this happens behaviour is kind of odd.

It looks like you are logged in:

image

If you are browsing a secure topic, you only see placeholders:

Depending on the site you are on (requires login or not) you will start seeing lots of 302s or 403s

Instead:

If we detect a user is somehow no longer logged in, we should open a modal saying “looks like you were logged out would you like to refresh” or something along those lines.

We can solve this very cleanly, by:

  1. Adding a custom HTTP header: DISCOURSE_LOGGED_IN: true to all Ajax calls we make (based on what the client thinks.

  2. Adding a custom HTTP header to responses from the server when there is a conflict between server and client state: DISCOURSE_LOGGED_OUT: true

Then client can easily tell that it was logged out and raise the screen and if anyone anywhere has issues with status codes (due to live permission changes and the like) we will not confuse it with the “logged out” situation.

10 Likes

Isn’t this a duplicate and proposed solution to… gasp… my first topic on Meta? :scream:

Thanks for looking into this :sun_with_face:

6 Likes

Completed per:

https://github.com/discourse/discourse/commit/0134e41286255111f2644a5b90e03640efef5db1

Pretty bullet proof after this change.

11 Likes

Wohoo, wonderful! Thank you :cherry_blossom:

(Sorry to spam you, but a :heart: simply wasn’t enough :wink:)

7 Likes

This topic was automatically closed after 25 hours. New replies are no longer allowed.