[47854] - Session Destroyed automatically .

[marcoAntonioNina]

Issue & Reproduction Steps

The session loss warning when you have multiple tabs does not correctly control the time of each one; the time should be global and synchronized for all of them.

Solution

• Implement session synchronization and timeout management in bootstrap.js; enhance Session.vue to utilize session state updates and warnings. This includes adding BroadcastChannel support for session events, localStorage management for session state, and integrating session renewal logic in the Session component.

How to Test

• Log in to the ProcessMaker platform.

• Open multiple browser tabs, such as:
  Editing a screen
  Editing a script
  Editing a process modeler
  Viewing a request page

• Work on one of the open screens while leaving the other tabs idle.

• After 5–10 minutes, the session automatically expires some time take more than.

• When you try to submit changes, an "Unauthorized" message appears, along with a "Stay Connected" prompt.

• If you do not click "Stay Connected" or miss the prompt, you are automatically logged out.

• As a result, any unsaved changes in screens, scripts, or process models are lost.

Related Tickets & Packages

• FOUR-27401

Code Review Checklist

• I have pulled this code locally and tested it on my instance, along with any associated packages.
• This code adheres to ProcessMaker Coding Guidelines.
• This code includes a unit test or an E2E test that tests its functionality, or is covered by an existing test.
• This solution fixes the bug reported in the original ticket.
• This solution does not alter the expected output of a component in a way that would break existing Processes.
• This solution does not implement any breaking changes that would invalidate documentation or cause existing Processes to fail.
• This solution has been tested with enterprise packages that rely on its functionality and does not introduce bugs in those packages.
• This code does not duplicate functionality that already exists in the framework or in ProcessMaker.
• This ticket conforms to the PRD associated with this part of ProcessMaker.

ci:deploy

---

Note

Introduces a centralized session synchronization mechanism to keep session timeout, warnings, and renewals consistent across browser tabs.

• Adds common/sessionSync.js with BroadcastChannel/localStorage-based state, leader election, and a single timeout Web Worker driving cross-tab warnings/expiry
• Refactors bootstrap.js and next/config/session.js to initialize initSessionSync, exposing AccountTimeout* globals and sessionSync helpers instead of manual worker wiring
• Enhances Session.vue to show a renewing spinner state, disable actions during keep-alive, handle 401/419, and broadcast renewing/renewed/expired/logout events to other tabs; only leader restarts the worker
• Extends navbar state/components (app-layout.js, next/layout/navbar.js, Blade) with sessionIsRenewing and passes :is-renewing to the session modal; closing the modal resets renewing state

^{Written by Cursor Bugbot for commit 81cb879. This will update automatically on new commits. Configure here.}

[vladyrichter]

QA server K8S was successfully deployed https://ci-4956f1abde.engk8s.processmaker.net

[vladyrichter]

QA server K8S was successfully deployed https://ci-4956f1abde.engk8s.processmaker.net

[vladyrichter]

QA server K8S was successfully deployed https://ci-4956f1abde.engk8s.processmaker.net

[vladyrichter]

QA server K8S was successfully deployed https://ci-4956f1abde.engk8s.processmaker.net

[vladyrichter]

QA server K8S was successfully deployed https://ci-4956f1abde.engk8s.processmaker.net

[vladyrichter]

QA server K8S was successfully deployed https://ci-4956f1abde.engk8s.processmaker.net

[cursor]

Cursor Bugbot has reviewed your changes and found 3 potential issues.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[cursor]

Unsafe error property access causes crash

High Severity

The keepAlive error handler accesses error.response.data.errors without null checking, which throws a TypeError for network errors, timeouts, or server errors that lack the expected structure. This crashes the error handler and prevents proper error recovery when session renewal fails.

 

[cursor]

Double worker start on visibility change leadership

Low Severity

When a hidden tab becomes visible and claims leadership, the timeout worker receives two "start" messages within milliseconds. The updateLeadership call at line 481 triggers ensureWorkerRunning which starts the worker, then line 488 immediately starts it again, causing the second start to override the first with slightly different timing calculations.

Additional Locations (1)

• resources/js/common/sessionSync.js#L454-L458

 

[cursor]

Worker restart blocked when modal unavailable

Medium Severity

When a tab loses leadership, the workerStarted flag reset at line 467 only happens if closeSessionModal exists. In layouts without the session modal, the flag remains true, preventing the timeout worker from restarting when the tab regains leadership. This breaks session timeout functionality when switching between tabs.

 

[vladyrichter]

QA server K8S was successfully deployed https://ci-4956f1abde.engk8s.processmaker.net

[processmaker-sonarqube]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarQube