In current versions prior to v3.4.0, every time you load a form in the control panel a random security token string is generated and put in the session. That same security token is put into the form via a hidden field. When the form is submitted, we check the value of the security token from the hidden field against the security token saved in your session. If they don't match, we don't permit the action to occur. A mismatch can happen if you did not actually request the form that you are submitting. This precaution is taken to protect against a security risk known as CSRF (cross site request forgery), where an attacker uses a script or link to try to trick you into performing an action.

Whenever this token mismatch occurs, you'll see a Security Token Mismatch error in the control panel:
Name: example1.png Views: 57 Size: 5.0 KB

While this can happen in the event of a CSRF attempt, it will unfortunately also happen when your session expires.

When you see the above error, your data is gone. For example, if you type a lot of information on a product record and get a phone call while doing so, and return later to finish the record, your session might time out and you would lose that information. Your session could also time out if your web server is rebooted in between the time you request the form and the time you submit it.

We've added better functionality to handle this in version 3.4.0. Instead of the above error, you'll see this:
Name: example2.png Views: 245 Size: 27.2 KB

After logging in, the operation you were attempting will complete as it normally would. This includes uploading images, filling out forms, etc....

The one exception to this is when performing record actions when viewing a table, which are handled via the fields in the lower left corner of the control panel. We can't preserve record actions during a session time out, because too much important info is in the session regarding exactly what info you are viewing in that table when you selected the records. However, the error message that occurs in this case is much more user friendly to at least tell you what is going on. You will still see the above "Your session has timed out." login box. Upon successful login, you'll see this to explain what happened:
Name: example3.png Views: 53 Size: 9.0 KB