Session duration and sending a new topic **issue**

Get help with installation and running phpBB 3.3.x here. Please do not post bug reports, feature requests, or extension related questions here.
Post Reply
alumnoxxi
Registered User
Posts: 43
Joined: Mon Jul 13, 2020 11:01 pm

Session duration and sending a new topic **issue**

Post by alumnoxxi »

Hi there,

I have received several complaints from users over time, indicating that after having spent a long time writing your post, when you send it, this post was lost and did not appear. Many of them indicated that they spent more than 1 hour writing the post. After checking that there is no error in apache etc I have come to the conclusion that it was related to the session interval offered by default phpbb which is 1h. Currently I have increased it to 2h, but I have several questions about the functionality of phpBB.

When a user spends a longer time writing the post than the duration of the session, shouldn't it be automatically saved in a draft to avoid losing it? Is there any way I can activate this? otherwise it would be a juicy feature to implement in phpbb.

Can the session duration be greater than the maximum interval for submitting forms (another ACP parameter)?
User avatar
EA117
Registered User
Posts: 1765
Joined: Wed Aug 15, 2018 3:23 am
Contact:

Re: Session duration and sending a new topic **issue**

Post by EA117 »

alumnoxxi wrote:
Fri Jul 31, 2020 9:11 pm
When a user spends a longer time writing the post than the duration of the session, shouldn't it be automatically saved in a draft to avoid losing it? Is there any way I can activate this?
...
Can the session duration be greater than the maximum interval for submitting forms (another ACP parameter)?
There isn't any "automatically save an in-progress reply or edit" in phpBB itself. There is something similar available as an extension, at least for phpBB 3.2.x.

What is "supposed to happen" depends on the user's actions, unfortunately. There are at least three possible scenarios that come to mind:
  • User does not use "Remember me" when logging in. Session time limit ends while composing a message, and upon next submit or preview the user is redirected to login again, since their previous login has expired. Although they are taken back to the posting page after the successful re-login, any in-progress content is not still there.
  • User does use "Remember me" when logging in. Session time limit ends while composing a message, and upon next submit or preview phpBB automatically creates a new logged-on session for the user. But because the session ID is now different, the form verification fails, and so the user sees "form invalid" in response to the attempted submit or preview. But the user simply needs to submit or preview again and the form with it's in-progress content will be accepted under the newly established session ID.
  • Regardless of how the user logged on, the user simply takes a long time before attempting to submit their message. During that time, one or more other users successfully post messages to the same discussion. When the user who took a long time finally attempts to submit, if "post review" is enabled for the forum they are in, although their submit is "successful" they are actually taken to the post review screen instead of actually submitting the message.

    The intention is that they may want to review the other messages that were posted during the time they were composing their own message, before then committing to "submit" for a second time after making any further changes in response to the additional posts. But some users aren't expecting that "submit" would result in anything but success. And "aren't reading" the page that comes up next, in order to understand that further action is needed on their part. They simply close the browser or navigate away, and the in-progress message content is lost.
So if the user has "Remember me" selected during login, there is no expectation that "expiration of the session would cause data loss." They would receive a "form invalid" due to the session having expired, but their in-progress content is still there, and things will succeed when they try again.

But if they didn't choose "Remember me", or if they're not recognizing when Post Review comes up while attempting to submit, then data loss is possible for those scenarios.

Yes, the session lifetime can be longer than the form submission lifetime. That would just mean you can potentially get "form invalid" simply by having exceeded the form submission time, even though you're still successfully using your same logged-on and non-expired session.
alumnoxxi
Registered User
Posts: 43
Joined: Mon Jul 13, 2020 11:01 pm

Re: Session duration and sending a new topic **issue**

Post by alumnoxxi »

Little to say, the truth is that you have made everything very clear point by point.

By default the box to remember me is unchecked, is there an option from acp or bd, so that this option is checked by default?

Most users susceptible to session loss, almost certainly will not have marked remember me

I'll take a look at the plugin you comment to see if I check it works for 3.3

Thanks for the help
Last edited by Mick on Sat Aug 01, 2020 6:35 am, edited 1 time in total.
Reason: Removed unnecessary full quoting.
User avatar
EA117
Registered User
Posts: 1765
Joined: Wed Aug 15, 2018 3:23 am
Contact:

Re: Session duration and sending a new topic **issue**

Post by EA117 »

alumnoxxi wrote:
Fri Jul 31, 2020 11:46 pm
By default the box to remember me is unchecked, is there an option from acp or bd, so that this option is checked by default?
Reviewing the provided prosilver style, there isn't any template or other code that would conditionally try and select the "Remember me" option during login. You would have to manually add the checked HTML attribute to the <input type="checkbox"> element being defined in the templates, such as:

Code: Select all

<!-- IF S_AUTOLOGIN_ENABLED --><dd><label for="autologin"><input type="checkbox" name="autologin" id="autologin" tabindex="3" checked /> {L_LOG_ME_IN}</label></dd><!-- ENDIF -->
You will find similar lines in viewforum_body.html, login_body.html and index_body.html in the /styles/prosilver/template/ folder, which you can find bby searching for the S_AUTOLOGIN_ENABLED reference. You're just adding the additional checked attribute to each one, as shown in the above example.

Defaulting this setting to "on" isn't the best security practice, since now someone must remember to opt-out if they're actually on a public machine. Meaning on any machine where "automatically log me in the next time I visit this site" isn't appropriate, because it may be someone else using the machine and now they've been automatically logged in as the previous user.

So perhaps weight that against the idea of educating the users about the benefit of opting-in on devices that they control.
alumnoxxi
Registered User
Posts: 43
Joined: Mon Jul 13, 2020 11:01 pm

Re: Session duration and sending a new topic **issue**

Post by alumnoxxi »

Thanks for the information, but if in the end I weigh that I do not rent, compared to the security risks that it implies.

I take note and educate my users
Last edited by Mick on Sun Aug 02, 2020 6:18 am, edited 1 time in total.
Reason: Removed unnecessary full quoting.
Post Reply

Return to “[3.3.x] Support Forum”