I am building a web app using ASP.NET and the security requirements are very strict; at present the app locks out if a user is idle for 2 minutes. Each page has a javascript timer registered that starts on page load and redirects them to the lockout page after 2 minutes. When the lockout page is loaded on the server it marks the user as 'locked' in the database to stop them from navigating away without unlocking. The lockout page also has a timer set for 15 minutes after which time the user should be logged out completely.
Currently I make this happen by setting the js to redirect to a logout page which logs the user out when hit, and this gets triggered after 15 minutes. But there is nothing stopping a user from refreshing the lockout page and restarting the 15 minute timer indefinitely. I want the server to also be ticking down and boot them out after the specified time. The timings don't have to match exactly: within 10 seconds of each other would be fine.
So: is there a way to do this? Ideally the lockout page would set in motion a server-side process that boots the user out after the time runs out. Not sure how to implement such a thing, if it is even possible
What are you using for persistent data storage? A database?
I am writing a similar client side setup to alert the user they will be logged off once fifteen minutes has elapsed, if they do not click a button indicating they are still there. It will start with two minutes to go.
This is just a convenience my manager wants. I already have a server side check to make sure to log the user off, if they exceed the time limit. Actually, there are two checks.
My first check is the freshness of the cookie holding the user's session token. Its freshness is set for fifteen minutes after each server request by the user. If the cookie is out of date, then the user is logged out.
The other is a record of the user's last server request. If it has been longer than fifteen minutes, then the user is logged out.
If I were you, I would use the second scheme.
In my database, I would create a lockout table that among other data would have two columns indicating if the user was locked out and at what time they were locked out. After fifteen minutes has elapsed, if the user has not done the procedure to clear the lock out, then log off the user. If they explicitly do the procedure, clear the lock out record. That way, just refreshing will not clear the database column holding the lock out time. But it would allow you to check if the fifteen minutes had elapsed.
You could condense the two columns to one, if you allow the lock out activated time to be null. But I prefer to have a column that explicitly states if a lock out is in effect. You could also add the columns to an existing user database.
Related
I was wondering what the best way of implementing a timer in the frontend would be.
The idea is to notify the user after 13 minutes of inactivity (= not made a request to the backend) that he will be logged out in 2 minutes.
My first attempt was to just use a Timer which is executed every second (I am doing this with Flutter web but it shouldn't make a difference) and counts down from 15 minutes.
Then we tested this internally and noticed that the Browser somehow stops JavaScript execution if the user switches to a different tab for a long time or if the computer goes into stand by such that the timer stops.
We already have a session timeout after 15 minutes from the backend, this is just to make the user experience better.
How would this be correctly implemented?
For short, I think it's impossible for only using frontend
As you examine, the javascript code will be stop whenever switching tab or close tab, computer stands by. So that it will not be good to use a timeout or something like that.
I used an idea before but not implemented it yet because I switched to simpler idea with sessionStorage. But you could see and somehow success with it: when last request is made, created a cookie with expire time is 13 minutes. If next request is made, clear old cookie and add a new cookie with 13 minutes too. If the request will not made during 13 minutes, when cookie expire, fire a event to annouce to user. To listening cookie change, I think there are a lot solutions out there. But for me, this idea is not so good so I forgot it.
If you can use a nodejs backend, you could try to use Server Send Event - SSE. This will create one-way sending data. Therefore you can stream a chunk of data. And the frontend will listen that streaming and decide whether to annouce to user.
Here is a new requirement that I need help with. Our users request that 2 minutes before the session timeout, warn them. (i can use a global javascript to check on every page since once a page is loaded, the session reset and by default, another 20 minutes is extended). at the 18th minute, a javascript popup shows up, asking the user "You have two minutes left before being logged off. Do you want to extend the session"?
Up to here, all is fine. But then once they hit "Extend it", then what? I don't want to refresh the page because the data they've already entered will be lost. Is Ajax needed? If so, what is the programmatic way to extend the current session? (not modifying web.config just to be clear)
Also, say they are talking to someone and did not see the javascript confirmation during the 2 minute. Is there anyway to "hold" the session, till the user decides to do something?
Thanks
I was recently working on a similar problem. With ASP.Net every call back to the sever resets the session timeout period. So a Ajax call is going to be your best bet.
As for holding the session, are you actually storing anything in the Session object that needs to be maintained? Or when you say session do you mean the period that the user is authenticated for? If it is truly Session and you are not storing data then it shouldn't matter id it expires. You may want to take a look ar the below link.
Forms authentication timeout vs sessionState timeout
I'm looking for a JavaScript code to destroy the session of users which aren't active. (It's for a live chat site)
Expiry:
The website detects every 5 minutes the activity of a user and then it updates the database with the last activity timestamp. So if the user didn't wrote since 2 minutes ago, the last activity timestamp would be time()-120 (120=2minutes)
And now I will that a js code can detect if the last activity timestamp is more than 300 seconds (5 minutes in seconds) ago, to destroy the session of the inactive user.
With php it would be easy, only it would need a refresh of the page and then the user would be logged out. Is there a chance to do this with javascript without refreshing the page? If inactive -> destroy session and automatically logout, so the user can't write anymore.
Thank you.
The session is a backend concept and can not be directly controlled with frontend Javascript. Sessions refer to information that is stored on the server and linked to the frontend user in some way, usually with a session cookie.
What you can do is either remove the cookie and wait for the session to die on the server, or write a PHP script that invalidates the session immediately and call that over AJAX. Either way, you'll have to change the UI with Javascript to let the user know they've been logged out, for example by disabling the text inputs and halting the script that polls for new messages.
Please also note that terminating the session for an idle user without warning is bad UX and will annoy your users. At least give them a notice beforehand that their session will be dropped in two minutes because of inactivity so they can react to stay online.
I have a requirement where a user presses a start timer button and it begins keeping track of time. As the user moves through the website, I want the time to continue tracking, until they press the stop button.
Obviously, this cannot be achieved through client-side javascript alone, since for each page refresh time will be lost. One solution I thought was to use faye/websockets to just push the time to the browser, but for every second that lapses, that will push data to client - a strain on the server.
The only solution I can come up with is keep track of the time in javascript and then capture the page unload event send, ajax request to server with the amount of time, and let the server continue incrementing time until the next page is fully loaded. This means it will not be using push technology, just regular ajax. Is this the optimal option here or is there a better solution?
What about the case where the user kills the browser? You won't be able to capture the unload event in this case.
If you want a client side solution, try putting the start time in the localStorage where this will persist across page loads. Then when the user hits stop, you can make an ajax call to the server with the elapsed time.
I assume you need to display a timer to the user, which updates every second.
I have built a web application like that. It was a single-page application (AngularJS), so the user could navigate from 'page' to 'page' without a complete web page being loaded and the timer kept running. Would that be an option in your case?
Otherwise, you could put the start time in a cookie and every second display the difference between the current time and the start time.
A few other options, which are less preferred:
Run the web site in an iframe and keep the timer outside the iframe.
Let the timer run on the server and make a small AJAX request to the server every second (yes, I know...).
Hybrid: Let the timer run on the server and on the client and synchronize the client with the server on every page load.
Options 2 and 3 require a stateful server (with all its drawbacks).
We do an online survey so we want to calculate the time spent. using javascript and php we have discovered the time spent is not 100% accurate.
The original script is sending server requests every 5 seconds and updates the time in the database.
I made a research and discovered setTimeOut and setInterval are not accurate at all. So what's the best way to do that?
I replaced the Ping function with another one that calculates the difference between previous packet timestamp and now(); however it's not accurate at all.
Please advice if there are any other solutions to the problem described.
Why don't you listen 'onunload' event of the document and send a single message in order to know when a user is leaving your page. Consider this; When a user starts filling your server you send a message and when he/she leaves your page, you send another one and measure the time between these messages in order to sum up the total time
I imagine most implementations of setTimeout and setInterval are set to wait at least the amount of time you specify. If you want accurate readings of how long the browser is open, use javascript's date functions to calculate it on the client side, then send to the server.
If you want to send requests to the server every 5 seconds, you can send the current time (using new Date().getTime()) in the request that is sent from client to server.
Save the time the 1st request was sent in the database. This is the time the user started the survey.
When each subsequent packet arrives, subtract the time the 1st request was send to get the total time the user has spent on the survey so far. When the user clicks the button to finish the the survey you could send a final request indicating the survey is complete.
You may also want to send requests on document blur and focus events. These events track when the user leaves and comes back to your page without closing the page down.