Change ASP.NET session timeout programmatically - javascript

Here is a new requirement that I need help with. Our users request that 2 minutes before the session timeout, warn them. (i can use a global javascript to check on every page since once a page is loaded, the session reset and by default, another 20 minutes is extended). at the 18th minute, a javascript popup shows up, asking the user "You have two minutes left before being logged off. Do you want to extend the session"?
Up to here, all is fine. But then once they hit "Extend it", then what? I don't want to refresh the page because the data they've already entered will be lost. Is Ajax needed? If so, what is the programmatic way to extend the current session? (not modifying web.config just to be clear)
Also, say they are talking to someone and did not see the javascript confirmation during the 2 minute. Is there anyway to "hold" the session, till the user decides to do something?
Thanks

I was recently working on a similar problem. With ASP.Net every call back to the sever resets the session timeout period. So a Ajax call is going to be your best bet.
As for holding the session, are you actually storing anything in the Session object that needs to be maintained? Or when you say session do you mean the period that the user is authenticated for? If it is truly Session and you are not storing data then it shouldn't matter id it expires. You may want to take a look ar the below link.
Forms authentication timeout vs sessionState timeout

Related

Implement a timer for user logout after timeout in the frontend

I was wondering what the best way of implementing a timer in the frontend would be.
The idea is to notify the user after 13 minutes of inactivity (= not made a request to the backend) that he will be logged out in 2 minutes.
My first attempt was to just use a Timer which is executed every second (I am doing this with Flutter web but it shouldn't make a difference) and counts down from 15 minutes.
Then we tested this internally and noticed that the Browser somehow stops JavaScript execution if the user switches to a different tab for a long time or if the computer goes into stand by such that the timer stops.
We already have a session timeout after 15 minutes from the backend, this is just to make the user experience better.
How would this be correctly implemented?
For short, I think it's impossible for only using frontend
As you examine, the javascript code will be stop whenever switching tab or close tab, computer stands by. So that it will not be good to use a timeout or something like that.
I used an idea before but not implemented it yet because I switched to simpler idea with sessionStorage. But you could see and somehow success with it: when last request is made, created a cookie with expire time is 13 minutes. If next request is made, clear old cookie and add a new cookie with 13 minutes too. If the request will not made during 13 minutes, when cookie expire, fire a event to annouce to user. To listening cookie change, I think there are a lot solutions out there. But for me, this idea is not so good so I forgot it.
If you can use a nodejs backend, you could try to use Server Send Event - SSE. This will create one-way sending data. Therefore you can stream a chunk of data. And the frontend will listen that streaming and decide whether to annouce to user.

Store data for session with an expiration date

I am building a mobile application in Angular (Ionic 5 to be precise) and I need a way to keep session data during my users workflow.
I considered using the sessionStorage for that, but one important thing is that my user session should expire automatically after 5 minutes. So I would like to store data and reset those data if the user finish the workflow or reset them if the user didn't finished the workflow within 5 minutes.
What is the best way to do this?
Store the expiry time along with the data in sessionStorage and when reading the key, check the time to make sure it is still valid for usage.
See this article for reference.
I can't include a Stack Snippet here because it fails on security privileges (editing the localStorage etc.), so here's the link to try this on GitHub.
You can use the user reaction events(click, keypress, ...etc) to refresh your session and made any control you want ! something like (click)="refreshSession()". All your controls will be made inside the refreshSession()

save to localstorage using setinterval

I'm developing a quiz with stopwatch, to calculate how much time user spent answering the quiz. But it's hackable by the user if the user refresh the browser.
Hmm what should I do? should I save the the counter to localstorage every seconds? and resume?
No, local storage is entirely under the control of the user as well.
You'll need to track the information server-side: Have the server record when user X started task Y, and have the server record when they completed it. Nothing you can do client-side will be resistant to an even modest attempt at bypassing.
Even the server approach can be susceptible to bypassing by bad actors (for instance, I sign up for multiple accounts, get all my answers together, and then sign up "for real" and take the quiz in record time). You'll always be in an arms race (IP checking, etc.), but at least you'll have some small chance by using something somewhat outside the user's control.

session_destroy() with JavaScript

I'm looking for a JavaScript code to destroy the session of users which aren't active. (It's for a live chat site)
Expiry:
The website detects every 5 minutes the activity of a user and then it updates the database with the last activity timestamp. So if the user didn't wrote since 2 minutes ago, the last activity timestamp would be time()-120 (120=2minutes)
And now I will that a js code can detect if the last activity timestamp is more than 300 seconds (5 minutes in seconds) ago, to destroy the session of the inactive user.
With php it would be easy, only it would need a refresh of the page and then the user would be logged out. Is there a chance to do this with javascript without refreshing the page? If inactive -> destroy session and automatically logout, so the user can't write anymore.
Thank you.
The session is a backend concept and can not be directly controlled with frontend Javascript. Sessions refer to information that is stored on the server and linked to the frontend user in some way, usually with a session cookie.
What you can do is either remove the cookie and wait for the session to die on the server, or write a PHP script that invalidates the session immediately and call that over AJAX. Either way, you'll have to change the UI with Javascript to let the user know they've been logged out, for example by disabling the text inputs and halting the script that polls for new messages.
Please also note that terminating the session for an idle user without warning is bad UX and will annoy your users. At least give them a notice beforehand that their session will be dropped in two minutes because of inactivity so they can react to stay online.

MVC sessions with auto-refreshing site

I am looking into session issues I have, but before I post my other questions I need to clarify something.
When a website is designed with JavaScript code that keeps refreshing the site (say every 5 seconds), I would expect that to be the same as a user clicking on links that reload fresh copies of the page, and further I would expect that to keep the site in session until the end of time.
However the session (ie, my session variables) does time out (I think at the 20 min default, but I'm not sure yet).
What's the expected behavior when a page auto-refreshes? Timeout or no timeout ?
Thank you,
Simon
I suppose you have forms authentications that stores cookies that are get expired in 20 minuts, page refresh doesn't extends the exipration. Look Here for possible options, sliding expiration may help.

Categories