Forums Bug Reports Thread

Dashboard "Manage" link sends browser to /account/sessions, which returns raw JSON instead of an HTML page

Patrick Bass · Jun 6 · 15 · 1 Locked
[Major] [High Priority] [Bug Fixed] [Always Reproduces]
Oldest Newest Top
Patrick Bass 🚀 OP Jun 6, 2026 5:11pm

Area: Account & identity (audit phase 1) · Surface: GET /account/sessions (AccountController@activeSessions) · Dimension: dead-code · Severity: major

The dashboard layout renders an "Active Sessions ... Manage" link to /account/sessions. Clicking it navigates the browser to a route whose handler (activeSessions) emits raw JSON ({"sessions":[...]}) via $this->json(), not an HTML page. There is no JS/fetch caller of this route anywhere in the codebase, so the only consumer is this anchor click, which dumps JSON to the user. The real session-management UI (terminate one / terminate all) lives in profile/settings.php (rendered at /account/settings by showSettings), which loads its own $sessions list. The Manage link should point at /account/settings (or the route should render an HTML page).

Evidence

Route maps GET to a JSON handler:

platform/src/routes.php:1264
    $router->get('/account/sessions', 'AccountController@activeSessions');

Handler returns JSON, never renders a page:

platform/src/Controllers/AccountController.php:1216-1228
    public function activeSessions(): void
    {
        $user = $this->requireAuth();
        $sessions = $this->db->fetchAll('SELECT id, ip_address, user_agent, last_active FROM sessions WHERE user_id = :uid ORDER BY last_active DESC', ['uid' => $user['id']]);
        $this->json(['sessions' => $sessions]);
    }

A user-facing link points a browser directly at this route:

platform/templates/layouts/dashboard.php:415
    <td><?= $e($activeSessions ?? 0) ?> &mdash; <a href="/account/sessions" class="link">Manage</a></td>

No JS/fetch consumer exists for the JSON payload (proves the JSON form is not consumed programmatically):
$ grep -rn "account/sessions" platform/public/ platform/assets/ 2>/dev/null  -> (zero hits)
$ grep -rn "account/sessions" platform/templates/ | grep -iE 'fetch|xhr|\.json|ajax|api'  -> (zero hits)

Suggested fix. Point the dashboard "Manage" link at /account/settings#sessionsCard (the canonical session UI in profile/settings.php), or change the GET /account/sessions route to render an HTML page. If a JSON endpoint is still wanted, move it under /api/.

Filed by the automated tenant-app audit (phase 1) and adversarially evidence-verified. Status: verified. Open — not yet actioned.

Patrick Bass
@mobieus

Patrick Bass 🚀 Jun 7, 2026 4:59am

Resolved — fixed and deployed. Commit faa14fc59739, shipped dev-first then to all tenants on 2026-06-06.

Converted AccountController@activeSessions (GET /account/sessions) from a JSON response to rendering the existing account/sessions HTML template, since the dashboard 'Manage' link navigates here as a page. Added expires_at to the SELECT and passed currentSessionId (session_id()), breadcrumbs, and pageTitle, matching what the template expects.

Status: fixed. Thread closed and locked.

Patrick Bass
@mobieus

Related Discussions

[Enhancement] Account: Orphaned template templates/account/sessions.php — zero render references; superseded by the sessions card in profile/settings.php
Feature Requests · 1 replies · 19 views
Sessions page: show login locations instead of raw session data
Feature Requests · 1 replies · 22 views
Navbar 'Know' link and all wiki breadcrumbs hardcode /know/index, which 404s if the index page is deleted or its seed fails
Bug Reports · 1 replies · 22 views
[New] Messaging & chat: Direct messages poll a full HTML page every 5s instead of streaming like chat rooms do
Feature Requests · 1 replies · 21 views
Active Sessions current-row highlight uses hardcoded rgba(44,124,255,...) instead of a semantic token
Bug Reports · 1 replies · 17 views

Log in or register to reply to this thread.