Skip to content

Fix editor save handling for expired sessions#1412

Open
TeaTinyTool wants to merge 1 commit into
prasathmani:masterfrom
TeaTinyTool:fix-editor-save-session-handling
Open

Fix editor save handling for expired sessions#1412
TeaTinyTool wants to merge 1 commit into
prasathmani:masterfrom
TeaTinyTool:fix-editor-save-session-handling

Conversation

@TeaTinyTool

@TeaTinyTool TeaTinyTool commented Jun 13, 2026

Copy link
Copy Markdown

Summary

This fixes a misleading success message in the editor save flow when the session has expired or when the editor still uses an outdated CSRF token.

Problem

Currently, JSON/AJAX save requests are handled only after the login check. If the session has expired, the login page can be returned with HTTP 200. The JavaScript success handler may then show Saved Successfully, although the file was not saved.

This is not only a cosmetic issue. I have personally lost editor changes several times because the UI reported a successful save while the file was not actually written.

There is a second related case: after logging in again in another tab, an already open editor can still contain an outdated CSRF token.

Changes

  • Detect real application/json AJAX save requests before the normal login check.
  • Return HTTP 401 for expired sessions instead of the login page.
  • Return HTTP 409 for stale CSRF tokens and provide the current token in the X-CSRF-Token response header.
  • Return save error responses as text/plain with Cache-Control: no-store.
  • Do not automatically save after receiving a refreshed CSRF token.
  • Show a persistent message asking the user to click save again intentionally.
  • Add X-TFM-Save-Success: 1 as a clear server-side confirmation for successful saves.
  • Show Saved Successfully only when this success header is present, or as a compatibility fallback when the trimmed server response is exactly 1.
  • Report unexpected HTTP 200 responses as failed saves and show a limited response excerpt for diagnostics.

Expected behavior

  1. The session expires while an editor tab is open.
  2. The user tries to save.
  3. The user receives a clear message that the file was not saved.
  4. The user logs in again in another tab.
  5. On the next save click in the old editor, only the CSRF token is refreshed.
  6. The file is saved only after another intentional save click.

Notes

This change is limited to the editor save flow and should not affect normal form posts or uploads.

@TeaTinyTool
Fix editor save handling for expired sessions
9764e51 
Prevent the editor from showing `Saved Successfully` when the session has expired or the CSRF token is stale.

Expired save requests now return an explicit error response instead of the login page. Stale CSRF tokens are refreshed without auto-saving, so the user has to click save again intentionally before the file is written.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@TeaTinyTool