Is it safe to keep session alive using ajax request?

Question

I recently implemented a small snippet of javascript in my Master page that does an ajax request every 30 seconds to keep session alive. I know there are several questions regarding keep alive but I haven't really been able to find answers to these specific questions.

My questions are:

1. Is it safe to do this? As in, will this have any adverse effects if there are many concurrent users/connections?

2. Can I implement an extended timeout using this method or will I have to use cookies?

3. I don't know much about cookies, but are these relatively acceptable to use now? or will there be users who don't allow them - will they be able to use my site?

Thanks everybody!

Answer 1

1. Yes it's safe. As far as load, that's up to your hardware and how you write it, but it has no worse effect than users refreshing the page (arguably less considering the overhead of an AJAX call over a standard page load).
2. You can adjust the timeout in the web.config if that's what you're asking...
3. That's a personal call on you. Cookies have their purpose, and I find them acceptable as long as it's your domain, but do realize some people disable them and so it comes down to having a fall-back.

Some things to keep in mind though:

1. Banks use the same methodology to keep your session going while you're checking your finances, but usually offer a popup just before to ask if you'd like to continue.
2. Keeping a user forcefully logged in for longer than a normal duration can be a security risk (picture someone logging in at a library or school computer and leaving their desk--should that session continue on in to the next day [or longer]?)