SAK-13987 for implementation of a feature that warns people when they are getting near to the inactivity timeout. It may be that this features is effectively disabled, for reasons noted in comments for SAK-13987. However if you manage to get it working, e.g. by doing the patch to change
url: "/direct/session/" + sessionId + ".json?auto=true"
url: "/direct/session/" + sessionId + ".json?auto=true&_=" + (new Date()).getTime();
you'll run into another problem: unless JSESSIONID is the first cookie, you'll get an invalid session ID. The problem is that this results in a continuous redirect loop, thus effectively disabling Sakai for that user. This was noted in another comment in
SAK-13987. However the comment didn't make it clear quite how serious the impact of the problem is.
A solution that works for us is to change
var sessionId = document.cookie.replace(/^[^=]=/, '').replace(/\..$/, '');
var sessionId = document.cookie.replace(/^.JSESSIONID=/, '').replace(/\..$/, '');
However this assumes that the session ID is carried in a cookie called JSESSIONID. There was some concern in a comment that this might not work in other app servers. A reasonable approach would be to add a configuration setting like sessionid.cookiename, which defaults to JESSIONID.
I'm unclear how serious a problem this is, since it appears that without the fix to the URL, this feature is probably effectively disabled. However if that isn't the case, we need to warn sites that enabling this feature has a high probability of creating disaster for at least some of their users.