Logged-out user is shown "You were logged out due to inactivity" and redirected to index page

[sssoleileraaa]

Description

Clicking login button when you are logged out doesn't take you to the login page.

Steps to Reproduce

1. Configure session timeout to be 2 minutes instead of the default 120 minutes.
2. Restart Apache apachectl restart
3. Log into the Source Interface
4. Go to submission page and click log-out button
5. Wait for just over 2 minutes
6. Click log-in button

Expected Behavior

For the "/login" page to show up.

Actual Behavior

You are sent to the index page and have to click on the log-in button again.

[sssoleileraaa]

Also, clicking the "Get Started" button doesn't do anything after you are logged out and redirected to the index page.

Steps to Reproduce

1. Run through STR above
2. Click "Get Started" button

Expected Behavior

For the "/generate" page to show up.

Actual Behavior

You remain on the index page.

[eloquence]

(Cannot reproduce either issue in the Docker env, FWIW, neither on develop nor release/1.7.0 branch)

[sssoleileraaa]

I updated the STR to say to wait for the timeout period of 2 minutes

[sssoleileraaa]

And this doesn't happen on develop - just rc4

[eloquence]

Potentially related: #5716.

[sssoleileraaa]

One more related STR, which is actually copied from the 1.7.0 Test Plan to make sure that the session expiration message is only displayed when signed in:

Steps to Reproduce

0. Like the STR in this PR description, set session timeout to 2 minutes and restart Apache.
1. Click the New Identity icon in the Tor Browser to clear current browser data and visit the Source Interface again
2. Click Get Started
3. Wait slightly over 2 minutes
4. After the codename generation page is displayed
5. Visit the Source Interface index page again

Expected Behavior

No session expiry error message is displayed

Actual Behavior

Session expiry error message is displayed

[emkll]

Thanks for opening @creviera , I can reproduce the behavior you describe here. As you mentioned in #5716 , this appears to be the same underlying issue. In this case, the session expiry will always redirect you to the index page and not the login page:

securedrop/securedrop/source_app/__init__.py

Lines 139 to 141 in 4df72e7

	if session['show_expiration_message']:
	flash(Markup(msg), "important")
	return redirect(url_for('main.index'))

Also, clicking the "Get Started" button doesn't do anything after you are logged out and redirected to the index page.

Confirmed, I also see this, in this case, show_expiration_message is set to false.

Given the several edge cases identified here and in #5716, while I don't think the issues are severe enough to address in time for the 1.7.0 release, they do highlight the need take a broader look at session management as proposed in #5692

[sssoleileraaa]

Yep, thanks @emkll for the code reference. The fix should ensure that we only show the "You were logged out due to inactivity" popup and redirect to the index page on user action when we actually log a user out. If the user is already logged out as in the STRs above, we should not show them this message or redirect user action. It would also be an improvement to redirect immediately when the user session expires.

[sssoleileraaa]

I just confirmed that this is happening on 1.6.0 so I will update the Issue title and description.

[eloquence]

Relatively low priority edge case, so parking in near-term backlog for now.

[nabla-c0d3]

This was fixed by #5694 and #5695.

[eloquence]

Thanks, closing accordingly, we'll test session management extensively during QA as well.