AJAX, SecurityComponent black-hole, Remember Me from CakeDC/users and PHP session timeout


Hey everyone,

I have a problem with SecurityComponent.

On a CakePHP 3.x page, I have forms generated with Form Helper (to take care of the security token) composed of just one textarea .
Whenever a user leave one of the textarea, the corresponding form is submitted through a jQuery Ajax request taking care of the token.
This use case works great and that way, I can use Ajax while maintaining Security using SecurityComponent.

The problem I have is when the PHP session is expired (if the user leaves the page open and inactive for more than the PHP session duration).

Because I am using CakeDC/users plugin and the remember me feature, before every Ajax request, I make a request to /users/sessionStatus (a dummy action that has no other purpose that triggering the “reconnection” of the user automatically if it checked the “Remember Me” checkbox when signing in.

Unfortunately, when the session is recreated using the RememberMe cookie :cookie:, session is reset and then, all subsequent POST request are black-holed because $session->id() mismatch (because of the newly created session).

Also, in the docs, it is written :

The unlockedActions property will not affect other features of SecurityComponent:

This is unclear to me … Can someone please explain ?

If anyone has a bright idea to help solve that use case :bulb: :blush:

Thanks !


I had a great talk with @steinkel on Slack regarding this use case :grinning: and the best solution seems to implement a countdown :stopwatch: in Javascript to present the user a modal when its session is about to expire to allow it to extend the session or logout.

If the user does not respond in time, the modal should say that the session expired and just display a “Reconnect” button to refresh :arrows_counterclockwise: the page. If the user had checked the “Remember Me” checkbox when logging-in, the page will be refreshed, remember me mechanism triggered that will re-set/re-login the user session (and security tokens will be regenerated accordingly).

Otherwise when refreshing the page, if the user had not checked the “Remember Me” checkbox, a authError will be triggered and the user will be redirected to /users/login?redirect=<currentPage> to relogin manually and redirect the user to the previous page.

:warning: The only thing I should also take care using that approach is that I currently save typed texts in the textareas only when the user leaves the field (onChange event).

Soooo, if a user starts typing in the field but does not move out. The event would not be triggered and the input of the last field would be lost when refreshing the page.

To counter that, I plan to implement an “autosave” :floppy_disk: feature that would post the form when the user stopped typing :keyboard: for more than 5 secs. That way, all data would be always saved before the user needs to refresh the page :wink: