views:

37

answers:

1

Hi, we've implemented a system similar to the one described in this other SO post. Basically, if the user doesn't do anything for 14 minutes, we prompt them that they will be logged out. If they click on "keep me logged in" we do an ajax request to keep their session alive, otherwise, they are redirected to the logout page after a minute.

It works pretty well, and is inline with similar systems employed at sites like mint.com and bankofamerica.com. The only problem is that our application's users tend to have multiple tabs open to refer back and forth to different pieces of data. So the problem is that they may be actively working in one tab, but then the other tab times out and logs them out. This causes an abrupt session timeout for the user when they were not expecting it. btw, mint.com has this same issue.

So I was wondering if anyone had any ideas to combat this?

I have one idea, each request could set a "last active time" cookie. Upon auto-logout, the server could check this last active time and if it's relatively recent, avoid logging them out. The manual logout would of course ignore this cookie so if the user wants to log out he can do so at any time. However, I'm afraid that this may be exposing some sort of security risk that I'm not able to see at this point. Thoughts?

+1  A: 

Before showing the pop-up, ask the server how long ago the user has done his last request.

Sjoerd
We don't currently store the last request time ... although, perhaps if we invert the problem. If we set that cookie for each request, and then as you suggest just check it before we show the timeout dialog. That way, we're not adding any code to the server per se. Interesting, do you think this could work and be secure?
Joel Martinez
If an attacker can read the cookies, he already has access to the authentication cookie and he is in the system. So this cookie does not make it less secure.
Sjoerd