fix: return 401 instead of 500 for AJAX requests with expired session #21599
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
No tests added for the moment as i am not sure about potential impact : need pre-review first. |
AdrienClairembault
approved these changes
Oct 23, 2025
|
I'm not confident enough with new routiong system, I'll wait for @cedric-anne review. |
cedric-anne
reviewed
Oct 27, 2025
Comment on lines
83
to
88
| // For AJAX/JSON requests, return a JSON response with 401 status | ||
| $response = new JsonResponse([ | ||
| 'error' => __('Your session has expired'), | ||
| 'message' => __('Please log in again'), | ||
| 'code' => 'ERROR_SESSION_EXPIRED', | ||
| ], 401); |
There was a problem hiding this comment.
Throwing back a HttpException should permit to have it correctly handled by the ErrorController.
Suggested change
| // For AJAX/JSON requests, return a JSON response with 401 status | |
| $response = new JsonResponse([ | |
| 'error' => __('Your session has expired'), | |
| 'message' => __('Please log in again'), | |
| 'code' => 'ERROR_SESSION_EXPIRED', | |
| ], 401); | |
| // For AJAX/JSON requests, convert the error into a HttpException | |
| $http_exception = new \Glpi\Exception\Http\HttpException(403, 'Session expired.'); | |
| $http_exception->setMessageToDisplay(__('Your session has expired. Please log in again.')); | |
| throw $http_exception; |
There was a problem hiding this comment.
Response code shouldn't be 401 instead of 403 ? https://stackoverflow.com/questions/1653493/what-http-status-code-is-supposed-to-be-used-to-tell-the-client-the-session-has
There was a problem hiding this comment.
Changed here 2d6d33b but i kept 401 Response Code.
trasher
reviewed
Oct 28, 2025
AdrienClairembault
approved these changes
Oct 28, 2025
Nevermind, it's OK |
cedric-anne
approved these changes
Oct 29, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fix AJAX requests returning HTTP 500 instead of 401 when session expires.
The AccessErrorListener had an early return for AJAX requests that prevented handling of SessionExpiredException. This has been fixed by processing SessionExpiredException before the
AJAX check.
For AJAX requests with expired sessions, the listener now returns a proper JSON 401 response:
HTML requests continue to redirect to the login page as before. Other exception handling remains unchanged.
Warning : This fix applies to all 122 AJAX endpoints in the application. Low risk of impact, though frontend handling of 401 responses should be monitored after deployment.