Why does payload not contain user object?

I have an auto-save utility hook on a form that requires authentication. My code was written to just assume a user object would always exist ($$BF_User) but now I’m finding that isn’t always the case and I don’t understand why. Do know how this could happen?

The server was:

Request time (PST): 11/2/2020 8:10:50 AM

My assumption was the user either logged out on another tab, or their session timed out, but the browser tab remained open. I tried testing this theory by opening two tabs and logging out on one, but the other tab could continue sending utility hooks, even 15 hours after the logout. This was also unexpected!

Are you sure they are authenticate?
It’s sounding like they hit the page with out being authenticated.

Authentication is required on that page, so if they freshly “hit” it, they would be redirected to a login page.

I suspected they weren’t properly authenticated, yet how is that possible? My theory was they logged out on another tab, but that doesn’t seem to be the case. Maybe they left the tab open for days, weeks, months, then returned and it was still able to call a utility hook? What’s the session timeout period?

@delfs any more feedback here?

I’ve left the same browser tab open since I posted this issue and it’s still able to submit utility hooks to save the record when I change a field. However, the payload still contains the user object, so I’m still unable to reproduce the request from my logs.

What is the session timeout period?