views:

189

answers:

4

How do websites generally log users out and send them to the log in screen automatically when a user's session expires? Is this done through ajax or running async handlers? Can you give me a bit of an explanation.

+3  A: 

Banks and such use a client-side timeout via javascript, or something similar. Really, though, the server handles the actual session, so if you disabled the client-side logic it would act as if you were attempting to make transactions while logged out.

Stefan Kendall
A: 

If you are using Tomcat you can use its built in <security-constraint> mechanism within your web.xml definition. All of the timing, login screen, and page redirects are handled by Tomcat with little effort on your part other than definitions.

Oh, IIS... nevermind.

dacracot
+1  A: 

Typically, you set an expiration timestamp on your session ID cookie. When the cookie fails to be sent, the client is logged off (no given session ID).

This method is often combined with JavaScript and another timestamp token. When the timers start running down, a notification is sent that allows the user to "refresh" their session... essentially, making a request before the session timestamp expires.

The "refresh" request could be anything, even something as simple as an image load.

Pestilence
A: 

Use a cookie as well as a session.

  • Cookie must be set when a session is started.
  • If the cookie is present but the session is gone, redirect to the
    login screen.
  • If there is no session and no cookie do nothing

(pardon me if you can't do that because I never used ASP and basing my answer on my PHP knowledge)

Nick Brooks