Force Logout users if users are inactive for a certain period of time

Question

Assume that you are doing a banking application. If users are logged into your site, how to detect their inactivity and ask them to log out if they remain inactive for a period of time? Inactive here means they have either switch to other tabs, or not touching the browser application.

I guess think I can do this by registering every mouse movement or keyboard movement when users are doing on EVERY page of my application. But the code would be very ugly and hard to maintain. Is there other more elegant ways of doing this?

Answer 1

If the user is requesting new pages/data from your server on a regular basis, then adjusting the session timeout in PHP should work for this (assuming you are using PHP sessions).

If the concern is that they could be sitting on one page for a good length of time with no trips to the server (e.g. filling out a long form), and you want to distinguish between this and the user simply switching to another window, you could do something like use javascript to request some data using XMLHTTPRequest every five minutes or so to keep the session alive. You could use the window.focus and window.onblur events in javascript to stop and restart this mechanism (I think there are some differences for IE, there is a good explanation here).

Answer 2

Usually the session lifetime is used to determine whether a user is logged in or not. So you could set a flag in the session that represents this state. And if it’s missing (either the user didn’t log in yet or the session timed out), he is considered as not logged in.

Answer 3

It depends how they are "logged in" in the first place. Doesn't the session expiration on the server do this for you? If you really want to do it manually then you could use some javascript in a setTimeout, but thats ugly

Answer 4

A very easy and effective way of doing this is by placing something like this in your HTML HEAD section:

<META HTTP-EQUIV="refresh" CONTENT="1800;URL=logout.php?timeout">

Replace the logout.php?timeout with the appropriate script .. In the example above, if ?timeout is in the query string, I show them a login page with information indicating that they've been logged out due to inactivity.

Replace 1800 with the time in seconds that you wish to allow them to stay inactive before automatically logging them out. Set this to the same time that you have your session expiration set to.

Edit - Another easy mechanism to implement is to have a session variable called last_time, or last_activity, or something along those lines, and set it to a timestamp everytime there is activity. In most of my stuff, I have a general include file that I do this in. In the same file, you could check to ensure that it's within the constraints that you've set forth for an active session. If it's been too long -- just do a 300 redirect to the logout page and display the appropriate inactivity message there.

Good luck!

Ian

Answer 5

You can have a bit of javascript that checks the server every x minutes to see when the user's last activity was. Shouldn't be more than a few lines of code. I would also add a meta refresh if the user has javascript disabled.

Answer 6

Hi Guys this is the code I use. It is not mine but I did modify it to it's 'perfection'.

// Add the following into your HEAD section<br />
var timer = 0;<br />
function set_interval()<br />
{<br />
//the interval 'timer' is set as soon as the page loads<br />
timer = setInterval("auto_logout()",10000);<br />
// the figure '10000' above indicates how many milliseconds the timer be set to.<br />
//Eg: to set it to 5 mins, calculate 5min= 5x60=300 sec = 300,000 millisec. So set it to 300000<br />
}<br />

function reset_interval()<br />
{<br />
//resets the timer. The timer is reset on each of the below events:<br />
// 1. mousemove   2. mouseclick   3. key press 4. scroliing<br />
//first step: clear the existing timer<br />

if (timer != 0) {<br />
clearInterval(timer);<br />
timer = 0;<br />
//second step: implement the timer again<br />
timer = setInterval("auto_logout()",10000);<br />
// completed the reset of the timer<br />
}<br />
}<br />

function auto_logout()<br />
{<br />
//this function will redirect the user to the logout script<br />
window.location="your_logout_script.php";<br />
}<br />

// Add the following into your BODY tag<br />
onLoad="set_interval()" onmousemove="reset_interval()" onclick="reset_interval()" onkeypress="reset_interval()" onscroll="reset_interval()"

Goo luck

Richard