Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-137264

Extend session requests are sent to the Liferay server even if the session was already expired

Details

    Description

      0- Introduction to session extension functionality

      The session extension functionality is based on following portal properties:

      session.timeout=15
      session.timeout.warning=1
      session.timeout.auto.extend=false
      session.timeout.auto.extend.offset=10

      Important notes:

      • Out of the box, the behaviour is to only auto-extend the guest users before the session times out, but it can be enabled for every user setting session.timeout.auto.extend to true.
      • The session.timeout must match with the session timeout configured in the web.xml of the application ( tomcat-9.x.x/webapps/ROOT/WEB-INF/web.xml => session-config => session-timeout )
      • The session.timeout.auto.extend.offset controls the number of seconds the /c/portal/extend_session request will be executed before the session is timed out.

      Current behavior of session extension is to send the extend_session request some seconds before the session has expired:

      • session.timeout*60 - session.timeout.auto.extend.offset

      For example for the out-of-the-box configuration, 10 seconds before the session has expired (15*60-10 = 890 seconds after the browser received the content from the server)

      1- Detected problem and its solution

      In case the browser has some kind of unexpected problem and it is not able to execute the extend_session javascript code before the session has expired in the server side, it will continue doing it even if the session has already expired and it is useless to do it.

      For the authenticated users, if you have enable session.timeout.auto.extend=true, Liferay should also warn the customer that the session was expired, instead of continuing trying to extend the session that has already expired.

      This causes some inconveniences that we should avoid:

      1. The server will receive useless requests to extend_session that will never correctly extend the session as it is already expired
      2. If session.timeout.auto.extend=true is enabled, the authenticated user won't receive the warning message that says: "Due to inactivity, your session has expired. Please save any data you may have entered before refreshing the page" so they will potentially lose any pending work they didn't save.
      3. In the log files, there will be warn traces "Unable to extend the HTTP session. Review the portal property "session.timeout" if this warning is displayed frequently." but these warn traces are not caused by any server misconfiguration, so they can cause some misunderstanding to our customers. (for more information see LPS-133668)

      In order to solve it, we have to only extend the session in case:

      elapsed >= (sessionLength - sessionTimeoutOffset) and (elapsed < sessionLength)

      If elapsed >= sessionLength, we have just to execute the session expiration functionality, that will stop the calls and It will display the warning to the final customer in the user interface.

      2- Why the browser is not able to send the extend_session in time

      Current session extension code in https://github.com/liferay/liferay-portal/blob/db830a8ca34ce65f4d588f36dc09b3b0f3f31cb6/modules/apps/frontend-js/frontend-js-aui-web/src/main/resources/META-INF/resources/liferay/session.js#L232-L327 checks the session timeout every second, so in theory it should extend the session correctly.

      But there are some situations where this is not true:

      1. The user's computer can be suspended/hibernated anytime without closing any application, when the user starts it again, the existing browser tab will try to extend the session even the session was created the day before.
      2. The mobile phones or tables can do something similar in case you change the browser tab or open another application, to save battery, it will stop executing the javascript code every second.
      3. If you execute something in your computer that is CPU intensive (for example, an ant all) the javascript execution can be delayed.
      4. Some browsers also do some kind of javascript optimization, grouping the javascript timers once a minute when the browser tab was inactive for some time (see https://developer.chrome.com/blog/timer-throttling-in-chrome-88/#intensive-throttling and PTR-2563)

      3- Steps to reproduce

      1. Configure Liferay with session.timeout.auto.extend=true in the portal.properties, to enable auto extend for the authenticated users.
      2. Reduce the session timeout from 15 to 2 minutes (this is not completely necessary to reproduce the issue, but we will reduce the reproduction time to 2 minutes)
        • Configure Liferay with session.timeout=2 in the portal.properties
        • Change the session timeout in the Tomcat configuration: tomcat/webapps/ROOT/WEB-INF/web.xml => "session-timeout" setting to 2 minutes.
      3. Start the Liferay server
      4. Login in your browser with any user
      5. Freeze your browser until the session is expired:
        • To do this you can suspend/hibernate your computer for 2 minutes
        • In Linux you can also simulate this executing:
          1. pkill -STOP -f chrome (or pkill -STOP -f firefox if you use firefox)
          2. wait 2 minutes
          3. pkill -CONT -f chrome (or pkill -CONT -f firefox if you use firefox)
      6. The browser is back to normal:
        • Expected behavior:
          • The warn message "Due to inactivity, your session has expired. Please save any data you may have entered before refreshing the page" is displayed in the user interface.
          • There are no warn traces in the log files
        • Wrong behavior:
          • There is no warn message in the user interface.
          • There is a warn trace in the log file that says "Unable to extend the HTTP session. Review the portal property "session.timeout"

      Attachments

        Issue Links

          Activity

            People

              summer.zhang Summer Zhang
              jorge.diaz Jorge Diaz
              Kiyoshi Lee Kiyoshi Lee
              Jorge Diaz Jorge Diaz
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                1 year, 14 weeks, 2 days ago

                Packages

                  Version Package
                  7.0.0 DXP FP102
                  7.0.10.16 DXP SP17
                  7.0.X
                  7.1.10 DXP FP26
                  7.1.10.7 SP7
                  7.1.X
                  7.2.10 DXP FP15
                  7.2.X
                  7.3.10.3 DXP SP3
                  7.3.X
                  7.4.13 DXP GA1
                  Master