Session Keepalive
Active-session protection to prevent logouts during work, added in 3.4.0
Overview
v3.4.0 added a session keepalive mechanism so users who are actively working do not get logged out mid-flow. The system distinguishes "user is actively working" from "idle session has been abandoned."
How It Works
Client Side (session-keepalive.js)
A plain JavaScript module (not a Stimulus controller) imported into all three frontend entry points (app.js, custom-ea.js, custom-js.js) so it runs on every page load. On pages matching /admin/*, /customer/*, or /reporting-tool/*:
- Activity tracking - listens for
click,keydown,mousemove,scroll,touchstart, andfocusevents - Check interval - every 60 seconds, evaluates whether to send a heartbeat
- Heartbeat conditions - fires only if: (1) the tab is visible, (2) the user was active within the last 10 minutes, and (3) at least 5 minutes have elapsed since the last heartbeat
- Request - sends
POST /session/keepalivewithsame-origincredentials - Stop condition - if the server returns 401, the heartbeat stops permanently
Server Side (SessionController.php)
The POST /session/keepalive endpoint checks authentication status. If the user is authenticated, it starts the session (if needed), stamps _keepalive_last_seen_at with the current time, and returns 200. Simply accessing the session refreshes PHP's session expiry timer.
Files Touched
| File | Change |
|---|---|
assets/js/session-keepalive.js | Added (100 lines) |
Controller/SessionController.php | Added (45 lines) |
assets/app.js | Modified - import added |
assets/custom-ea.js | Modified - import added |
assets/custom-js.js | Modified - import added |
Changelog Reference
feat: keep active sessions alive while users are active(#649)