views:

342

answers:

4

Is it posible to notify user that session has expired? Can browser act as server and receive such notifications?

One solution would be to generate JavaScript that does countdown on client side and notifies client in the end, but I am iterested if it is postible to do it the first way?

And what are the consequences of first approach? Are there any security concerns?

What would be posable implementation in django, for example?

A: 

You may wish to look at comet, although I think a javascript timer would be a much better solution being less likely to break, and easier to implement.

I can't think of any security implications as you are only providing an expiration notice, not actually doing any authenticating in that step.

cobbal
A: 

You're looking for some sort of comet-type thing. Probably the easiest "server-push" you can do is polling the server.

Ben Alpert
+1  A: 

You could have the JavaScript periodically poll the server for notifications (every 30 seconds, say), using XMLHTTPRequest to check a URL. If the session times out, the server could put something at that URL that indicates it, and then a notification could be popped up. This is how Stackoverflow implements the notifications that someone else has answered a question already if you're in the middle of composing an answer.

Brian Campbell
A: 

In fact in Django, there is not server-side expiration if you use filesystem or database engine => is it your client cookie session id wich expires. Otherwise, if you use cache-based session, you could set the cache expiration to a greater value than the session cookie expiration.

An then, simply declare a cookie without expiration to flag the client browser at login, and check in every page the session id : if there is no session id cookie but your "cookie flag", the session is expired. There is no need to check the server.

fredz