Steps to reproduce the issue

• Install Firefox
• Install NoScript (https://addons.mozilla.org/en-US/firefox/addon/noscript/)
• Set your session timeout to 1 minute
• Log into the backend of your site
• Start writing a new article
• Stop and don't touch anything for 2'
• Click on Save & Close

Expected result

You can see the keep-alive POST requests to /administrator/index.php?option=com_ajax&format=json in your access logs.

The article saves correctly.

Actual result

You can NOT see any keep-alive POST requests to /administrator/index.php?option=com_ajax&format=json in your access logs.

You are logged out of the backend of the site.

System information (as much as possible)

Tested on 4.2, definitely happens on 4.1, and some 4.0 versions as we'll see below.

Depends on using a browser or a browser extension which silently blocks navigator.sendBeacon() requests without returning false.

Additional comments

Last week @bembelimen reported that he could not submit a fairly long pre-sales request on my site because the session timed out. However, I was already using Joomla's built-in keepalive through the WebAssetManager. This week I had more time, so I started digging.

Joomla's KeepAlive uses navigator.sendBeacon to send the keep-alive request, a change merged by @bembelimen himself a year and a half ago. Oops!

Using navigator.sendBeacon is the wrong choice, per the MDN (emphasis mine):

It's intended to be used for sending analytics data to a web server

This is not a philosophical preference — and yes, I know it's used by some JS developers to send all sorts of POST requests, even though this is definitely “off-label” (against the API's intention) use. Since navigator.sendBeacon is classified as a method intended to be used for analytics many privacy tools kill it silently. For example, NoScript classifies beacons as "pings". Pings appear to the site's JavaScript as working, but they are actually blackholed.

To understand how insidious this is, open your own site (let's say www.example.com) in Firefox with NoScript enabled with the default config. Press F12 to open the console. Type navigator.sendBeacon('https://www.example.com/index.php', {foo: "bar"}) where www.example.com is your site. The console returns true but as you can see in your access log there was no POST made to your site.

Since the POST does not take place, the keep-alive feature does not work. The whole idea of keep-alive is periodic requests to the server to refresh the session.

I do understand that the idea behind the change was to replace the JavaScript blocking XMLHttpRequest with something non-blocking so as not to disrupt the user experience perusing the editor and I agree with that. However, the correct solution to that is to use fetch, not navigator.sendBeacon.

Benjamin, sorry. You asked me to troubleshoot this and I did. The bug is in the core Joomla code.