Implement auto log-out + warning in asp.net + jquery?

Question

Many sites ( Bank webSite for example) - implement log-out + 1 minute warning before session is about to expire.( 20 minutes)

(this topic is not discussed much - the only question ive seen is with using asp.net membership - which I don't use)

each user will have a session["lastActionTime"]

this session will be update to current Time when :

• Page is loaded
• Ajax request has executed ( due to user action)

Now - when a page loads , I set the session value. (lets say 19:00)

Also , for every ajax request (my site doesnt create postbacks - only ajax jquery) - I use an ASHX handler with IRequiresSessionState which updates the session to current Time.

I use something like this :

jQuery(document).ajaxStart(function(){
    gotoHandlerAndUpdateSessionTime();
})

Now -the part for 1 minute before warning message ( " your session is about to expire ") :

Every ajax return event or page load event - I activate in javascript : setInterval with [sessionTime-1] minutes ( 20-1=19). ( and of course - cancelling all prev setIntervals... )

now when the event (setInterval) occurs - it is 1 minute before expiration time : (19 min)

I display a warning div , and the user can choose exit or stay .

question :

1) what if the user didnt press nothing on the warning div , How (after 1 minute from displaying the div) will I log him out ? Should I open a setTimeout of 1 minute when displaying the div and then (if nothing pressed) to log him out ?

2) is it the right way of doing it ?

3) Shouldn't there be cookies in this whole weird story ? :-)

(please - no membership - or Forms authentication). I'm tagging this question also as PHP since I know it is relevant to php programmers as well and I would like to hear from their knowledge.

Answer 1

Royi, to answer both of your questions, I would say YES. I've built these several times (usually with Forms Auth), but basically you have a timer that counts down to show the first warning, and then another timer that counts down and gives the user X seconds to answer. I usually put the X second count down on the warning message so they can see how much time they have left. If they don't answer in the allotted time, a call gets made to Logout.ashx (or whatever) that destroys the session and then the javascript can redirect them back to the login page. I hope that helps.

Regarding your third question, as long as you're tracking the session you shouldn't really need cookies. Just do a session_destroy() in PHP or Session.Abandon() in C# when the javascript timer counts down.

Here's some code I'm using on one of my sites (might not be the cleanest, but you get the idea):

var timeoutPolled = 0;
var timeoutSeconds = 10;
var countDownCounter = 61;
var timeoutBetweenPolls = 5000;
var stopCountDown = false;

function InitializePollTimer(timeoutMinutes) {
    timeoutSeconds = timeoutMinutes * 60;

    StartPollTimer();
}

function StartPollTimer() {
    setTimeout(PollForTimeout, timeoutBetweenPolls);
}

function PollForTimeout() {
    timeoutPolled++;

    if ((timeoutPolled * timeoutBetweenPolls) > 1 * (timeoutSeconds * 1000)) {
        $("#timeoutDialog").dialog({
            autoOpen: false,
            bgiframe: true,
            resizable: false,
            height: 250,
            draggable: false,
            modal: true,
            zindex: 99999999,
            position: 'top',   
            open: function(event, ui) { $(".ui-dialog-titlebar-close").hide(); },       
            buttons: {
                "Continue using Website?": function() {
                    StopCountDown();

                    $.ajax({
                        type: "GET",
                        url: "RefreshSession.aspx",
                        cache: false
                    });

                    $(this).dialog("close");

                    timeoutPolled = 0;
                    StartPollTimer();
                },
                "Logout": function() {
                    Logout();
                }
            }
        });

        $("#timeoutDialog").dialog("open");

        countDownCounter = 61;

        CountDown();
    }
    else {
        StartPollTimer();
    }
}

function CountDown() {
    if (stopCountDown) {
        stopCountDown = false;
    }
    else {
        countDownCounter--;
        $("#countdownTimer").html(countDownCounter);

        if (countDownCounter > 0) {
            setTimeout(CountDown, 950);
        }
        else {
            Logout();
        }
    }
}

function StopCountDown() {
    stopCountDown = true;
}

function Logout() {
    window.location.href = 'Logout.aspx';
}

Answer 2

It's possible I'm not going to tell you anything you don't already know but here's my two cents anyway -

On the user not pressing the warning button there are two areas: (1) the information being currently displayed on the screen (2) additional requests for more informaion being blocked - for the first, a javascript timer should forward to a LoggedOut page if not canceled by the posative result of clicking on the warning dialog and for the second, definately server side logic should be checking the current request for being in the context of a logged in user.

As for cookies, it sounds like you're using on already to if you haven't altered the default settings for session state - i think it's called .ASPNET but I could be wrong you can check with a proxy tool.