Automatically prolong CSRF token lifetime in forms #4134
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR is adding JS code that performs a ping to EE Action URL every hour to extend the form lifetime.
For guests, it will be extending the
exp_csrf_token
cookie. For logged in members, it will be extending the session lifetime (the token lives as long as the session lives)With the session lifetime of 2 hours, that means that if they leave the page with the form open and the computer will be active, the form will still be valid to submit if they come after 2 hours. If however the computer goes to sleep for 2 hours, the session/token will be already dead and they will need to reload page (we could also send back the token and auto-inject that into the forms though, but I'd like to get initial review first)
The potential site effect (not tested though) is that they will probably not get logged out after 2h of inactivity - because there will be activity of AJAX calls.
The code will be automatically injected into pages that contain any form, unless
disable_csrf_protection
ordisable_csrf_refresh
config override is set