login flow could be improved #205
Description
The way web login works is that both the client and the server have state that they use to maintain the login session. The server currently uses PHP session, which may be garbage collected at any time. Inside this session the server has access to the userid and username of the user. The client has a PHPSESSION cookie that is simply a key used by the server. When this key is sent to the server, the server can lookup the session and validate the state. The session may expire at an indeterminate time, since the server is in control of this (actually the server has two parts - when the cookie is set and when the garbage collection runs).
I propose that we do the following:
- start using both a PHPSESSION cookie and a program-editor cookie. The latter will store the userid/username that the server also stores in the session.
- When the client starts up, it should check for both the PHPSESSION cookie and the program-editor cookie. If both are present, then the client should assume that the session is valid until demonstrated otherwise by a 401 from the server.
- The client should never check the login unless it is performing some action with the server such as looking up the list of programs or saving a program or deleting a program. If it ever gets a 401 in response to an ajax, it should show a modal to force the login again. This means that the previous action generating a 401 would have to be reissued after login is successful.
- because ajax actions may result in a 401 from the server, modals such as deleteProgramModal should be careful to handle this and show an option to login again. This would close the current modal and open the login modal.