Approaches to timing out sessions on a web app using AJAX autorefreshes

Question

I'm writing a web application that autorefreshes data with an AJAX call at set intervals.

Because it's doing that, server side user sessions never time out, since the last activity is refreshed with every ajax call.

Are there good client side rules I could implement to time out the user? I.e. should I track mouse movements in the browser, etc., or should I point the AJAX calls to URLs that don't refresh the session?

I like that my AJAX calls hit a session-enabled URL, because I can also validate that the user is logged in, etc.

Any thoughts in terms of whether I should even bother timing out the users?

Answer 1

I prompt the user to verify they're still active via JavaScript after a period of inactivity. Inactivity is defined as "no mouse or key messages sent to the window". If they fail to respond to the prompt after a certain amount of time, I redirect to a sign-out page.

My jQuery UI-based implementation can be found here.

Answer 2

I've done this by maintaining a "last action" timestamp in the browser and sending this back to the server with the heartbeat. On the server I then check for a timeout based on the difference between this value and the current time, calling the logout routines if the user has been idle too long. If the session is timed out then heartbeat result will trigger the browser to reload the page which, as the session is now logged out on the server, will clear any user specific information.

The two main problems I had to solve with this approach were differing interpretations of timezones in the server and client date function implementations and keeping track of the most recent action if the user had several tabs open in the same browser sending different "last action" timestamps back to the server.

Answer 3

One technique I've used: increase the interval between AJAX calls every time a call is made. So you make your first AJAX call after 10 seconds, then you wait 11 seconds, then 13, then 16, 20, 25, etc... (or some similar pattern). Every time there's page activity (found by registering some JS event), you reset the interval back to your starting value (e.g. 10 seconds).

This technique will cause users who don't touch the browser for a while to time out eventually, when the AJAX interval becomes longer than the timeout period. As an added bonus, you'll r educe your server loads -- if a user leaves the browser window open for a long time, they'll make fewer and fewer requests before timing out.