Countdown To Session Timeout Despite Page Refreshes

[Rob Mikkelsen]

This is kind of backward from all the other posts that I have read regarding the inactivity timers...

I have an app that refreshes a page every 60 seconds to update the status that is passed to the server.  I have been advised by the government security folks that the site must log the user off after a period of inactivity.  Therefore, I need to ignore the page refreshes on the main page, but reset the inactivity timer if any other page is selected.

Is there a simple way to do this?  I will start pouring through the code to find the solution, but I expect that the now-knowlegeable brain trust will beat me to an answer.

Thanks!

Rob

[Poul]

Is there a simple way to do this?

 

set a longer session timeout on your servers settings->advanced tab  (i have used as high as  24hrs) - and its the best way to ensure it behaves the way most expect (hope).

or if you cannot or do not want to tieup server resources, its not necessarily simple (but this has other uses):
 
firstly you still have the issue of AJAX vs standard page requests, (this will not work cleanly if a column sort has been clicked for example)

All my pages will redirect to a loginform if not a valid session ...normal nettalk. 

but i track a cookie for each user/login, (could simply be the sessionid) that allows me to compare it to that last sessionid that a user used, if they match i can 'trust' that the user is likely a repeat.

so i can apply my own test for a resonable timeout, and validate the session etc.  If the user uses a true logout request, i can clear this value so they must truly authenticate,  If the same Userid is used on another machine then the feature would only work for the browser whose cookie matches the server (last valid login). 

Now for some screens - context may be important and you cannot switch session ids, without taking all the values and sessionvalues, in this case your server must persist them, presumbaly in a data file, otherwise there is no big advantage over a longer session timeout value. 

[Rob Mikkelsen]

Poul,

Very interesting, but I found a simpler way that does just what I need.

In WebHandler/Touchsession, I check the variable self.pagename to see if it is a page that does not qualify as a "touched" page.  If so, I return Level:Benign from the procedure and wait for the next page; otherwise, I continue through the parent call which resets the time.

Since I have two of these auto-refresh pages, I may have to check the referring page to see if this is a link between the two pages which indicates activity, or if it is an automatic refresh which could happen unattended.

Thanks for the info - lots to think about!

Rob