One of the problems I have come accross having complext tasks on the browser is with automatic timeouts. Currently our site has a sliding expiration of 30 minutes. Normally this isn't a problem because we use asp.net and most of the time the users update one or two fields and then submit the form. This obviously keeps the session active. I have struggled with how to handle this with significantly more complex forms/user interaction where there are few if no round trips to the server. Now users can view reports, type emails etc. on our site, and I am struggling with how to keep their session active while they're actually using browser but they are not actively posting information back. I would dispense with the sliding expiration, but it's a requirement, so I am stuck with it. Most of our users are outside of the organization, so I can't use any form of SSO. Does anyone have an elegant solution (I'll even go for an ugly one if it works), or am I out of luck?
We recently went through this in my organization. Although it is not the best solution, and hitting the right session across multiple browser windows is rough, we put a countdown timer on our page, included a button that just went back and hit the server to restart the session, and also provided the user with a JavaScript popup (the user's favorite part of the solution) with a message saying that the session was, say, five minutes from timing out and to hit the "OK" button to restart. Then the button would hit the server to restart the session, restart the timer on the base page, close the popup and the base page didn't need to be refreshed at all.
Have the browser ping the server via Ajax periodically to keep the session alive. Most sites do something useful in this ping, like save a draft of the user's submission.
Ah, the age old problem of not wanting to increase the session time because of higher memory usage.
One answer is to also set a cookie that expires after more like a day that will tell the system to still remember the user. That's what eBay does, among others.
erickson is on the the right track.
On the areas of the site that are prone to session-timeout due to "complex forms/user interaction where there are few if no round trips to the server", you can place a keepalive control to keep pinging the server, thus keeping the session alive.
Here is a sample control that you can use, or use as a basis for coding your own.