session_destroy() with JavaScript - javascript

I'm looking for a JavaScript code to destroy the session of users which aren't active. (It's for a live chat site)
Expiry:
The website detects every 5 minutes the activity of a user and then it updates the database with the last activity timestamp. So if the user didn't wrote since 2 minutes ago, the last activity timestamp would be time()-120 (120=2minutes)
And now I will that a js code can detect if the last activity timestamp is more than 300 seconds (5 minutes in seconds) ago, to destroy the session of the inactive user.
With php it would be easy, only it would need a refresh of the page and then the user would be logged out. Is there a chance to do this with javascript without refreshing the page? If inactive -> destroy session and automatically logout, so the user can't write anymore.
Thank you.

The session is a backend concept and can not be directly controlled with frontend Javascript. Sessions refer to information that is stored on the server and linked to the frontend user in some way, usually with a session cookie.
What you can do is either remove the cookie and wait for the session to die on the server, or write a PHP script that invalidates the session immediately and call that over AJAX. Either way, you'll have to change the UI with Javascript to let the user know they've been logged out, for example by disabling the text inputs and halting the script that polls for new messages.
Please also note that terminating the session for an idle user without warning is bad UX and will annoy your users. At least give them a notice beforehand that their session will be dropped in two minutes because of inactivity so they can react to stay online.

Related

Web page authentication and sessions

I'm trying to understand how most online websites authenticate and then store your session. What I'm particularly trying to understand is when I log into a website it starts off by redirecting me to the login page and then validates my username/password, then navigates back to where I started but with my information displayed. If I were to navigate away from that webpage and then come back to it sometime later I'm still logged in. I feel like this is what a cookie could be used for but I'm looking to see if anyone could provide me with a good explanation as to how this works?
A cookie is a bit of data stored by the browser and sent to the server with every request for instance a subscription status on a website.
A session is a collection of data stored on the server and associated with a given user (usually via a cookie containing an id code)
Session values are reset after the connection is closed. Cookies values are normally saved.
Session values are usually reset after a period of time has passed without a connection from the client with which the session is associated. Cookie values are saved until their expiry time (or the browser is closed if one isn't set). Expire immediately overrides are available for both

Change ASP.NET session timeout programmatically

Here is a new requirement that I need help with. Our users request that 2 minutes before the session timeout, warn them. (i can use a global javascript to check on every page since once a page is loaded, the session reset and by default, another 20 minutes is extended). at the 18th minute, a javascript popup shows up, asking the user "You have two minutes left before being logged off. Do you want to extend the session"?
Up to here, all is fine. But then once they hit "Extend it", then what? I don't want to refresh the page because the data they've already entered will be lost. Is Ajax needed? If so, what is the programmatic way to extend the current session? (not modifying web.config just to be clear)
Also, say they are talking to someone and did not see the javascript confirmation during the 2 minute. Is there anyway to "hold" the session, till the user decides to do something?
Thanks
I was recently working on a similar problem. With ASP.Net every call back to the sever resets the session timeout period. So a Ajax call is going to be your best bet.
As for holding the session, are you actually storing anything in the Session object that needs to be maintained? Or when you say session do you mean the period that the user is authenticated for? If it is truly Session and you are not storing data then it shouldn't matter id it expires. You may want to take a look ar the below link.
Forms authentication timeout vs sessionState timeout

why Aspx pages session gets expired repetedly for a .net application?

I am working in a .Net chat application, in my chat room page session is getting expired repeatedly for small time period. I used
sessionState timeout="540" and httpRuntime executionTimeout="999999" maxRequestLength="200000000" requestValidationmode="2.0"
in web.config file. but it is working. My page required continuous update because it is a chat page. but after some time it gets timed out and we need to re lode the page to get new messages. a interval is running in this page. any Idea is appreciable.
It makes no sense. When you still send requests to the server within the limited timeout, the session won't expire. For example, if you set the session timeout 5 minutes, then you request to the server each 1 minutes, the page won't expire because the client is still interacting with the server.
Are you using full or absolute url in any of your request? Change it to relative uri. e.g. ../home.aspx

MVC sessions with auto-refreshing site

I am looking into session issues I have, but before I post my other questions I need to clarify something.
When a website is designed with JavaScript code that keeps refreshing the site (say every 5 seconds), I would expect that to be the same as a user clicking on links that reload fresh copies of the page, and further I would expect that to keep the site in session until the end of time.
However the session (ie, my session variables) does time out (I think at the 20 min default, but I'm not sure yet).
What's the expected behavior when a page auto-refreshes? Timeout or no timeout ?
Thank you,
Simon
I suppose you have forms authentications that stores cookies that are get expired in 20 minuts, page refresh doesn't extends the exipration. Look Here for possible options, sliding expiration may help.

ASP.NET log user out from server

I am building a web app using ASP.NET and the security requirements are very strict; at present the app locks out if a user is idle for 2 minutes. Each page has a javascript timer registered that starts on page load and redirects them to the lockout page after 2 minutes. When the lockout page is loaded on the server it marks the user as 'locked' in the database to stop them from navigating away without unlocking. The lockout page also has a timer set for 15 minutes after which time the user should be logged out completely.
Currently I make this happen by setting the js to redirect to a logout page which logs the user out when hit, and this gets triggered after 15 minutes. But there is nothing stopping a user from refreshing the lockout page and restarting the 15 minute timer indefinitely. I want the server to also be ticking down and boot them out after the specified time. The timings don't have to match exactly: within 10 seconds of each other would be fine.
So: is there a way to do this? Ideally the lockout page would set in motion a server-side process that boots the user out after the time runs out. Not sure how to implement such a thing, if it is even possible
What are you using for persistent data storage? A database?
I am writing a similar client side setup to alert the user they will be logged off once fifteen minutes has elapsed, if they do not click a button indicating they are still there. It will start with two minutes to go.
This is just a convenience my manager wants. I already have a server side check to make sure to log the user off, if they exceed the time limit. Actually, there are two checks.
My first check is the freshness of the cookie holding the user's session token. Its freshness is set for fifteen minutes after each server request by the user. If the cookie is out of date, then the user is logged out.
The other is a record of the user's last server request. If it has been longer than fifteen minutes, then the user is logged out.
If I were you, I would use the second scheme.
In my database, I would create a lockout table that among other data would have two columns indicating if the user was locked out and at what time they were locked out. After fifteen minutes has elapsed, if the user has not done the procedure to clear the lock out, then log off the user. If they explicitly do the procedure, clear the lock out record. That way, just refreshing will not clear the database column holding the lock out time. But it would allow you to check if the fifteen minutes had elapsed.
You could condense the two columns to one, if you allow the lock out activated time to be null. But I prefer to have a column that explicitly states if a lock out is in effect. You could also add the columns to an existing user database.

Categories