I am working in a .Net chat application, in my chat room page session is getting expired repeatedly for small time period. I used
sessionState timeout="540" and httpRuntime executionTimeout="999999" maxRequestLength="200000000" requestValidationmode="2.0"
in web.config file. but it is working. My page required continuous update because it is a chat page. but after some time it gets timed out and we need to re lode the page to get new messages. a interval is running in this page. any Idea is appreciable.
It makes no sense. When you still send requests to the server within the limited timeout, the session won't expire. For example, if you set the session timeout 5 minutes, then you request to the server each 1 minutes, the page won't expire because the client is still interacting with the server.
Are you using full or absolute url in any of your request? Change it to relative uri. e.g. ../home.aspx
Related
I'm trying to understand how most online websites authenticate and then store your session. What I'm particularly trying to understand is when I log into a website it starts off by redirecting me to the login page and then validates my username/password, then navigates back to where I started but with my information displayed. If I were to navigate away from that webpage and then come back to it sometime later I'm still logged in. I feel like this is what a cookie could be used for but I'm looking to see if anyone could provide me with a good explanation as to how this works?
A cookie is a bit of data stored by the browser and sent to the server with every request for instance a subscription status on a website.
A session is a collection of data stored on the server and associated with a given user (usually via a cookie containing an id code)
Session values are reset after the connection is closed. Cookies values are normally saved.
Session values are usually reset after a period of time has passed without a connection from the client with which the session is associated. Cookie values are saved until their expiry time (or the browser is closed if one isn't set). Expire immediately overrides are available for both
I'm developing a webapp, purely on JS and Rest WS. Deployed on Weblogic.
Using FORM Auth for Login and Session Invalidate for Logout.
For session timeout I've two logics
1) web.xml session timeout configuration
2) JS timer, that checks for click or keypress event else calls Logout servlet with param as sessiontimeout
Now the problem is, Say the user is Active at client side by accessing JS files but hasn't made any REST WS calls, I cannot show any notification to USER as the SESSION is timed out. This is because of Logic 1, that does not allow me to configure any way to specify which page to redirect or pass any request parameters.
Logic 2 works fine, the moment the client is inactive for 30 mins it calls Logout?sessionTimeout=true servlet with request params from Client, which solves my problem. BUT this happens very rare like 10 in 100 cases and 90 times its Logic 1.
The only solution I can think of is remove web.xml session config and just have JS session timer check and invalidate if TRUE. BUT is this a correct approach/design ?
Experts please share your thoughts.
You want to maintain most of the timeout logic on the server (where it's less-likely to be modified/hacked) and create a service which can be called from the client that periodically asks the server if the session it has, is still valid.
A best practice would be to generate a token for the user at the start of the session and pass that with the first response; potentially saving it in a cookie. The token's identity and expiration time is maintained by the server.
The client would check, say every 30 seconds if the session is expired by reading the token id from the cookie and passing it to the server in an AJAX call. The server then responds if that token is valid or not. When the client receives a not-valid response from the server it then navigates the user to a login page.
On the server side, if you get a request for a page and the cookie passed includes a token that is either not recognized OR expired, then just redirect the user to the login page.
Another advantage of maintaining the majority of the timeout logic on the server is that if a client is browsing with javascript turned off -- your session timeout logic still works perfectly.
I'm looking for a JavaScript code to destroy the session of users which aren't active. (It's for a live chat site)
Expiry:
The website detects every 5 minutes the activity of a user and then it updates the database with the last activity timestamp. So if the user didn't wrote since 2 minutes ago, the last activity timestamp would be time()-120 (120=2minutes)
And now I will that a js code can detect if the last activity timestamp is more than 300 seconds (5 minutes in seconds) ago, to destroy the session of the inactive user.
With php it would be easy, only it would need a refresh of the page and then the user would be logged out. Is there a chance to do this with javascript without refreshing the page? If inactive -> destroy session and automatically logout, so the user can't write anymore.
Thank you.
The session is a backend concept and can not be directly controlled with frontend Javascript. Sessions refer to information that is stored on the server and linked to the frontend user in some way, usually with a session cookie.
What you can do is either remove the cookie and wait for the session to die on the server, or write a PHP script that invalidates the session immediately and call that over AJAX. Either way, you'll have to change the UI with Javascript to let the user know they've been logged out, for example by disabling the text inputs and halting the script that polls for new messages.
Please also note that terminating the session for an idle user without warning is bad UX and will annoy your users. At least give them a notice beforehand that their session will be dropped in two minutes because of inactivity so they can react to stay online.
Assuming I have users on a page of my site.
I update this page on my server but users will not notice the difference until reloading the page.
How can a JavaScript function detect the difference and start reloading the page ?
A solution could be using a timer which reloads the page every second but this causes a lot of traffic?
The function you are asking is to have a server which can push information to the browser like Comet.
Else, you can also create an Ajax request which will test the current version of the page displayed in the browser and verify if it wasn't updated on the server side.
Once it detect that the server have a new version of the page, your script can tell it to the user (it is bad practice to reload without the user consent).
To avoid excessive call to the server, you should ensure that your Ajax request is only launch periodically (2 min ? 5 min ? More ?), and that no other request are currently running.
If there is a timeout set on one of our pages, and that same page is opened in another window/tab, is there a way to destroy/stop the timeout in the other window? We have employees who will use our system but open it again from their favorites. If they do this the already opened window will run the interval and then timeout. So while they are working in the new window they opened they will not be able to finish what they are doing because the other window timed them out.
Are there solutions to do this if a new window is opened?
In any sane web application, it is safe to have multiple windows open – especially in respect to session timeouts, because "session" state is managed by the server, not the client.
First, consider why web servers manage session state. HTTP was designed as a stateless protocol, which means any given request cannot conclusively identify who issued the request. This is fine for serving static resources, but is obviously not useful if we want to develop a more interactive app; Netscape later added cookies to their browser to address this.
Cookies solve the state problem (since the browser will issue consequent requests with the cookie[s]), but they are inherently insecure: a malicious client could modify a site's cookies. If, for example, upon login we set a cookie called uid to the user's ID, it would be trivial for someone to fake a cookie with uid=1, which might be your site's administrator account. Oops.
This is why web application frameworks invented the "session" construct. Each time a request is made with no cookie, the server creates a new (random) session key and sets the client's session cookie to that key. The web server keeps track of sessions and all state associated with each session. Important here is that the key itself contains no data, is large and random enough (has relatively high entropy), and is useless outside of your server. It is thus not possible to know how to change the key to gain access to other sessions.
Think of sessions as a large array – one item for each session, and a map of variables in that item. Conceptually, it might look something like this: (remember that this data resides on the server!)
session['safa4fwsa34rff4j9'] = { uid: 1, ... }
session['ajiokinmoi3235000'] = { uid: 4312, ... }
session['9lij34fff032e40k0'] = { uid: 9098, ... }
If I was signed in as user 1, my browser would send a cookie with sid=safa4fwsa34rff4j9. The server looks up this session, and passes the saved state ({uid:1}) on to your scripts. When your scripts are done, the server saves any changes back into its data store. (Session data is often kept in-memory, but in large sites, session data can be saved in a database.)
So what does all of this have to do with timeouts? This session data cannot be kept indefinitely because you'd eventually run out of storage space (whether that means running out of RAM or filling up the database your sessions are stored in).
Instead, the server also stores an expiration date & time with each session. Each time the session is accessed (by a client sending a request with the session's key), the expiration date is reset. The expiration date can be set anywhere from a seconds from now to years from now (depending on what server you're using). You configure how long you want your server to hang on to sessions; IIS defaults to 10 minutes, PHP to ~24 minutes.
In this model, the only thing that really matters is the last time a client issued any request, thus resetting his session's expiration/timeout. It wouldn't matter if multiple windows are open, because as long as one of them have accessed a page recently, all windows will still be active. If the session expires, then all windows are automatically expired when they make their next request.
Something that might muddy this issue is if you're doing some kind of AJAX polling, but the question doesn't indicate what technologies are being used. (#OP, it would be helpful if you included tags for your server stack.)
To summarize all of this: If you're doing any kind session management/expiration on the client, you're doing it wrong. Your app is likely insecure.