feat(session): preserve intended URL across session timeout and add expiry warning dialog

When a session expires, the user's current URL is now captured and restored
after re-authentication (via remember-me cookie or manual login), instead of
always redirecting to the dashboard. A JavaScript session warning dialog
appears ~2 minutes before idle timeout, allowing users to extend their session
with a single click. Includes open-redirect prevention via URL validation,
Microsoft SSO callback support, and 33 unit tests.

Refs: SESSION-REDIRECT-PRESERVE-001

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-03-13 14:28:49 +01:00
parent a3045fa95e
commit 04995e3712
18 changed files with 1333 additions and 7 deletions

View File

@@ -0,0 +1,21 @@
<dialog
data-app-session-warning-dialog
aria-labelledby="app-session-warning-title"
aria-describedby="app-session-warning-message"
aria-live="assertive"
>
<article class="app-session-warning-dialog">
<header>
<h2 id="app-session-warning-title"><?php e(t('Session expiring')); ?></h2>
</header>
<p
id="app-session-warning-message"
data-session-warning-message
data-template="<?php e(t('Your session will expire in {countdown}. Would you like to continue?')); ?>"
></p>
<footer>
<button type="button" class="secondary outline" data-session-warning-logout><?php e(t('Log out')); ?></button>
<button type="button" class="primary" data-session-warning-extend><?php e(t('Extend session')); ?></button>
</footer>
</article>
</dialog>