views:

791

answers:

2

Gentlemen,

I am in the midst of working on a project that is session-based. I was thinking that similar to a bank, I'd create a check and offer users the ability to thwart a session time-out.

I was thinking about creating a setInterval that would check a blank page that requires auth. If the timer is getting close to end-times, it'd throw up a dialogue advising the user that session is near end. A 'stay logged in' button would reset the timer, and they'd also be presented with an option to log off. If the set interval gets a '401' from the checker page, the current page would be refreshed to the login screen.

Does this make sense? Would the setInterval bog down the browser?

As an aside: what is the easiest way to clearInterval based on user interaction? Would I need to check for every keypress, and/or mouse event? Or is there a broader way of checking if the user is interacting with the page (like a focus check or something)?

Tanka.


So, I had some problems with the framework I'm using.. The session handling is not very good, therefore there seemed to be a problem with updating the session timout instead of having it timeout always based on the time since login, as opposed to since last activity. Anyway, got that handled. The issue I'm wondering about now is that by checking to see if the session is still authenticated via setInterval, the session will be updated via the check, therefore the session will never timeout. Or, am I missing something?


I decided to handle it just with javascript. Set the timeout to never in the framework config, and am handling timeouts with setTimeout exclusively.

function alerter(msg){
    //warn user session about to expire; give opportunity to save
}
function killSess(){
    window.location = '/logout';    
}
function sessTimer(time){
timerID = window.setTimeout('killSess();',time); 
}
function observe(div){
    Event.observe(div, 'click', function(){
        clearTimeout(timerID);
        sessTimer(30000);
    });
    Event.observe('bodyDiv', 'keydown', function(e){
        clearTimeout(timerID);
        sessTimer(30000);
    });
}
+1  A: 

Does this make sense? Would the setInterval bog down the browser?

This should work fine. So long as the interval is fairly large (a few seconds to a minute) and does not increase the size of a global data structure with each iteration, I don't anticipate it bogging down the browser.

As an aside: what is the easiest way to clearInterval based on user interaction? Would I need to check for every keypress, and/or mouse event? Or is there a broader way of checking if the user is interacting with the page (like a focus check or something)?

Maybe adding a few event handlers to a top-level page element such as a container div might be helpful.

jkndrkn
Hey thanks... I guess something that I didn't consider is that if I do a `get` to some auth page on an interval, each of those get's will reset the session timer, eh?
stormdrain
That's correct. My use of setInterval() was simply to implement keep-alive on a system that fought my every attempt to increase the session timeout. Maybe you could use setInterval() to call a script that increments a counter value stored in the session and clears the session when that counter value maxes out? Also, something to be aware of: some browsers will cache a page requested repeatedly via setInterval(). Make sure to test for and work around this. One way is to add a dummy query string to the URL of the page you are requesting and increment a value in that query string each time.
jkndrkn
I decided that it'd be easier to just set the timeout to never, and handle the session death via javascript exclusively. It is a local system, so not too worried about the possible security implications, and this just seemed much easier. Thanks for all your help.
stormdrain
+1  A: 

It makes perfect sense, and setInterval wouldn't bog down the browser, as long as you make sure not to register it once more when it's already registered.

You only want to run clearInterval on the click of one specific button ("no, don't poll the browser", or "log out"), so i don't quite see the problem in your last paragraph...?

Other than that, I'll just add that upon 401, you shouldn't refresh to login screen. Just notify the user that the session seems to have been lost, so that the user can decide on his own to save anything he might be working with, or perhaps to log in again in a new tab.

Henrik Adolfsson
I guess what I meant by the last paragraph was that I want to reset the timer, not clear it... This way if a user interacts with the page, it will start the polling to the auth check page from 0. But I didn't consider the fact that if I'm checking an authenticated page in the script, the session will stay alive by virtue of checking the page to see if the session is still alive. It's like recursion, but backwards.
stormdrain