On 401/403, refresh logged-in state and don't imply in the UI that the request worked #2813

New Issue

Open

opened 2015-06-30 15:03:37 +00:00 by wjt · 1 comment

wjt commented

2015-06-30 15:03:37 +00:00

For whatever reason, a user's Pandora login cookie (I guess?) expired. Until they refreshed the page, they were still shown as logged in.

Whenever they tried to add an annotation, they saw the "Sorry, you have made an unauthorized request." dialog. But when they dismissed the dialog, the annotation was still shown in the editor, so they assumed that the error could be ignored and the annotation had still been saved, and kept working, dismissing the dialog every time. Hours later, after they refreshed the page, I had to break the bad news that all their changes had not been saved.

Obviously, users blindly dismissing dialogs is bad, but there are some things Pandora could do better:

On 401/403, refresh the logged-in state. If the user is now logged out, the top-right corner would show "Not logged in" and the editor would go into the not-logged-in state where trying to add an annotation shows "To add or edit ..., please sign up or sign in.".
When addAnnotation/editAnnotation/etc. fails, roll back the annotation bin accordingly, so it doesn't look like the change was saved successfully. I guess it would be a pretty invasive change to not just send all errors to the global 'error' event…

For whatever reason, a user's Pandora login cookie (I guess?) expired. Until they refreshed the page, they were still shown as logged in. Whenever they tried to add an annotation, they saw the "Sorry, you have made an unauthorized request." dialog. But when they dismissed the dialog, the annotation was still shown in the editor, so they assumed that the error could be ignored and the annotation had still been saved, and kept working, dismissing the dialog every time. Hours later, after they refreshed the page, I had to break the bad news that all their changes had not been saved. Obviously, users blindly dismissing dialogs is bad, but there are some things Pandora could do better: 1. On 401/403, refresh the logged-in state. If the user is now logged out, the top-right corner would show "Not logged in" and the editor would go into the not-logged-in state where trying to add an annotation shows "To add or edit ..., please sign up or sign in.". 2. When `addAnnotation`/`editAnnotation`/etc. fails, roll back the annotation bin accordingly, so it doesn't look like the change was saved successfully. I guess it would be a pretty invasive change to not just send all errors to the global `'error'` event…

j added the

frontend

label 2015-06-30 15:03:37 +00:00

j added this to the 14.04 milestone 2015-06-30 15:03:37 +00:00

0x2620 was assigned by j

2015-06-30 15:03:37 +00:00

j added the

normal

defect

labels 2015-06-30 15:03:37 +00:00

j commented

2015-06-30 15:21:32 +00:00

Owner

agreed, pandora has to do a better job with expired sessions.

right now you can also increase the default session timeout.
add

SESSION_COOKIE_AGE=120*24*60*60

to /srv/pandora/pandora/local_settings.py

current default value is 60 days (602460*60)

agreed, pandora has to do a better job with expired sessions. right now you can also increase the default session timeout. add ``` SESSION_COOKIE_AGE=120*24*60*60 ``` to /srv/pandora/pandora/local_settings.py current default value is 60 days (60*24*60*60)