Best way to deal with session timeout in web apps?

Question

I am currently building an internal web application used in a factory/warehouse type location. The users will be sharing a single PC between several people, so we need to have a fairly short session timeout to stop people wandering off and leaving the application logged in where someone else can come to the PC and do something under the previous user's username.

The problem with this is a session can timeout while a user is currently entering information into a form, especially if they take a long time.

How would you deal with this in a user friendly manner?

Answer 1

The best advice would probably be to ask the users to close the browser window once they're done. With the use of session-cookies, the session will automatically end when the browser is closed or otherwise on a 30 minute timeout (can be changed afaik).

Since there by default is no interaction between the browser and the server once a page is loaded, you would have to have a javascript contact the server in the background on forms-pages to refresh the session, but it seems a bit too much trouble for such a minor problem.

Answer 2

Use AJAX to regularly stash the contents of the partially filled-out form so they have not lost their work if they get booted by the system. Heck, once you're doing that, use AJAX to keep their session from timing out if they spend the time typing.

Answer 3

Maybe that a keep-alive javascript process could be helpfull in this case. If the script capture some key triggers, it send a "I'm still typing" message to the server to keep the session alive.

Answer 4

Keep the server informed about the fact that the user is actively entering information. For instance send a message to the server if the user presses the TAB key or clicks with a mouse on a field. The final solution is up to you.

Answer 5

If the session timeout is so short that the user doesn't have the time to fill in a form, I would put an AJAX script that makes a http request to the server, every few minutes, to keep the session alive. I would do that only on pages that the user has to fill in something or has already started filling something.

Another solution would be to use a session timeout reminder script that popups a dialog to remind the user that the session is about to time out. The popup should display a "Logout" and a "Continue using application" that makes a ajax request to update the session time out.

Answer 6

have you considered breaking the form into smaller chunks?

Answer 7

As an alternative for the technical solutions, you could make your application in such a way that everytime a particular job is done, for example filling in a form, you ask the user if he wants to continue doing another job or if he's done. Yould could have a startscreen with menu options and if the user chooses an option he first has to enter his credentials.

Or put a password field on the form. Depends on how many forms they have to fill in a session.

Answer 8

When the user posts the form and their session has timed out, you should make sure you save the form values somewhere and then ask the user to login again. Once they have re-authenticated you they can then re-submit the form (as none of their data will have been lost).

Answer 9

Monitor the timeout and post a pop-up to notify the user that their current session will expire and present "OK" or "Cancel" buttons. OK to keep the session going (i.e. reset the counter to another 5 minutes or 10 minutes - whatever you need) -or- Cancel to allow the session to continue to countdown to zero and thus, ending.
That's one of lots of ways to handle it.

Answer 10

I had developed something requiring very long session. The user logged in on a page when he sit on the machine and after doing his work, logged out. Now he may use system for few minutes or for hours. To keep session alive till he logged out, I used timer with javascript, it went to server and updated an anthem label with current time on server.

Answer 11

Using a JavaScript "thread" to keep the session open is, to me, a bad idea.

It's against the idea of session timeout which exists to free some resources if there's no user in front of the application.

I think you should adjust the session timeout with the more accurate time, in order to fill the form in an "typical normal use".

You may also be proactive by :

1. having a JavaScript alert displaying a non-intrusive warning (not a popup) to the user before the timeout expire, which say that the session will expire soon (and give an link to send an ajax request to reset the timeout and remove that warning - that will avoid the user to lost the form he is currently typing),
2. and also have a second JavaScript "thread", which, if the session has expired, redirect to the login page with a message saying that the session has now expired.

It think that's the best because it avoid the user to fill a complicated form for nothing, and handle the case when the user has gone away.