feat(session): preserve intended URL across session timeout and add expiry warning dialog
When a session expires, the user's current URL is now captured and restored after re-authentication (via remember-me cookie or manual login), instead of always redirecting to the dashboard. A JavaScript session warning dialog appears ~2 minutes before idle timeout, allowing users to extend their session with a single click. Includes open-redirect prevention via URL validation, Microsoft SSO callback support, and 33 unit tests. Refs: SESSION-REDIRECT-PRESERVE-001 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -7,6 +7,7 @@ use MintyPHP\Debugger;
|
||||
use MintyPHP\Firewall;
|
||||
use MintyPHP\Http\AccessControl;
|
||||
use MintyPHP\Http\AssetDetector;
|
||||
use MintyPHP\Http\IntendedUrlService;
|
||||
use MintyPHP\Http\LocaleResolver;
|
||||
use MintyPHP\Http\RequestContext;
|
||||
use MintyPHP\Http\Request;
|
||||
@@ -79,9 +80,18 @@ if (!empty($_SESSION['user']['id'])) {
|
||||
$isAbsolute = ($now - $sessionStartedAt) > $absoluteTimeoutSeconds;
|
||||
|
||||
if ($isIdle || $isAbsolute) {
|
||||
// Capture the current URL before session destruction so the user
|
||||
// can be redirected back after re-authentication.
|
||||
$intendedUrl = $_SERVER['REQUEST_URI'] ?? '';
|
||||
$authService->logoutDueToSessionTimeout();
|
||||
Flash::error(t('Your session has expired. Please log in again.'), 'login', 'session_timeout');
|
||||
Router::redirect('login');
|
||||
$intendedUrlService = app(IntendedUrlService::class);
|
||||
$locale = I18n::$locale ?? I18n::$defaultLocale;
|
||||
$loginTarget = $intendedUrlService->buildLoginRedirect(
|
||||
Request::withLocale('login', $locale),
|
||||
$intendedUrl
|
||||
);
|
||||
Router::redirect($loginTarget);
|
||||
}
|
||||
|
||||
$_SESSION['session_last_activity'] = $now;
|
||||
|
||||
Reference in New Issue
Block a user