views:

5033

answers:

5

Hi, I have to implement auto-logout functionality in one of my projects and i just cant figure out where to start looking for ideas but SO.

What i need is for the application to redirect the user to the login page if the user session has expired. Please tell me as to what should be my approach to tackle this requirement.

Problem Statement: If the user leaves the system for more than n minutes in any given log-in instance, the system should automatically log them off.

A: 

Read the MSDN documentation at http://msdn.microsoft.com/en-us/library/ms972429.aspx

Sandy
i know what session state is i just want to redirect the user to the login page when it expires!
renegadeMind
You didn't read the entire page, huh! Read the section 'Sample session state application' in the above link. Modify the 'CheckSession' method, and instead of line 'span1.InnerHtml = "NOTHING, SESSION DATA LOST!"' - add code for redirection to your page.
Sandy
A: 

Since you don't know where to start, you may find this 4guys article useful: http://www.4guysfromrolla.com/webtech/110701-1.shtml

Edit

Sounds like the jQuery timer may be useful if you want to redirect to a url after a known period of time has elapsed (i.e. your session expiry period).

Hope this helps.

Paul Suart
i know Authentication works; hows dat gonna help me? Please understand that the user will not be interacting witht he site and the app will still redirect it to the login page when the session expires! Its gonna be a client side thing!
renegadeMind
Perhaps consider re-writing your question to make it clearer to people who are willing to spend time helping you.
Paul Suart
well i thought the word auto-logout was self explanatory; guess it isn't!
renegadeMind
No, not at all :) You have requirements beyond that.
JoshJordan
+4  A: 
Zhaph - Ben Duguid
This is my Prob Statement: If the user leaves the system for more than n minutes in any given log-in instance, the system should automatically log them off. I am sorry if the question asked was not framed correctly.
renegadeMind
If you're using forms authentication, set the timeout attribute to "n" minutes, and their auth token will expire after "n" minutes of inactivity - either a browser window left open, or them wandering off to another site for that time.
Zhaph - Ben Duguid
I've added some detail to include the timeout setting, as well as talking about the possibility of modifying the cache headers for the pages.
Zhaph - Ben Duguid
What i want to do is redirect them to the login page automatically when the session expires on the server side. so its gonna be a combo of the server side and the client side code.
renegadeMind
Are you sure? That's generally a dangerous practice. Unless your application is very dynamic, users usually get comfortable perceiving your pages as static. Thus, they feel that their work or the information they are viewing is "safe" independent of their authentication status, and it can be very jarring to have the application throw that away with a timed redirect.
JoshJordan
Depending on the nature of the application it can be useful. If it has an intricate form that the user fills in only to discover when they submit it that they are logged out this can be frustrating. I have used the meta refresh tag set to redirect to a page after session expiry that tells the user that they have been logged out. However with the advent of tabbed browsers you need to consider that they might have another active window open for your site in another tab so maybe some sort of ajax call back would be required first.
Martin Smith
But with the ajax call back you would need to ensure that it wasn't the call backs themselves keeping the session alive.
Martin Smith
@Martin: With an intricate form, I'd recommend either a "wizard" style approach (multiple, smaller forms), or a heartbeat to keep the session alive - as you say, **nothing** will frustrate your users more than spending 20+ minutes filling out a form, and then being told that the site couldn't save it because they've been logged out.
Zhaph - Ben Duguid
+3  A: 

This has been achieved by the following way:

1) Save the time-stamp of every request( server and ajax excluding the session check ajax request) to the server into a session var.

2) Poll the server via a JS function using ajax at frequent intervals and check if the time diff between the session time-stamp and the ajax request time is greater than the session timeout val then log-off the current user and return a bool for that ajax request.

3) Redirect the current page to the login page if the bool returned is true.

renegadeMind
You should mark this as the answer then to save people spending time on it
Martin Smith
+1  A: 

You can and should do this entirely with javascript, which will work even if you the client is disconnected from the server.

This is well-described here.

ftrotter
The approach is still incomplete as the user session is still active when redirected to the login page. Hence would have to abandon the user session when the user is redirected to the login page to make it robust.
renegadeMind