I like an IFRAME with a page (say HeartBeat.aspx) that serves itself as an empty page with a meta refresh… as long as the user is on any page, they keep chatting with the webserver to keep the session alive. Makes 5 minute cookies a reality.
http://www.codeproject.com/KB/session/Session_Defibrillator.aspx
Isnt this a simpler way to keep session alive? Use SetInterval, then include the EnableSession attribute on your web service method?
window.setInterval(KeepAlive, 300000);
[WebMethod(EnableSession = true)]
public void KeepAlive()
{ return;}
What if Cookies are turned off- I never had solution for Gmail with IE - Accidentally I turned off my cookies now I am never able to login on Gmail through IE - btw I don’t like that browser always 
Mozilla is perfect for us.
In fact there is a fairly simple solution to the problem of preserving context after session expiration. Dan on May 10, 2008 10:27 PM has something nice, but there is a simpler approach that resides entirely on the server and therefore doesn’t require XMLHttpRequest or indeed any Javascript at all.
In short, it involves never changing the URL, even if you need to display or process a login form, and always adding to the login form any post your page has received, using hidden fields.
A well crafted, general-purpose include module (or equivalent technology) can handle this for all (form processing or plain GET) pages in your web application, so you don’t have to implement this solution on each of them individually. The same goes for the processing of the login form: every page should potentially be able to process it (the authentication logic should go into an include that every page can use if a post is detected and it contains the login and password fields).
The only elements of your form that will need special attention are file upload fields but there are solutions for these, too.
I have been using this for years, and it works perfectly. After the user is authenticated, whatever he was trying to do is performed.
Good Day. Do not be awe struck by other people and try to copy them. Nobody can be you as efficiently as you can.
I am from Mauritius and learning to speak English, give please true I wrote the following sentence: If you are looking for the best online travel agency, then you just succeeded by finding sas airline tickets.
Thank you very much :P. Kabibe.
A common practice to prevent sessions to be stolen, is to bind it to a certain IP address. If someone steals such a session id (such as copy-pasting an url which has the session id as a parameter), the session still will not be recognized as yours since the IP addresses differ.
It isn’t totally safe, but safe enough to take the effort to implement (it’s only an additional WHERE clause for the session-retrieval-sql, guys).
I know what application have session timeouts. So I just quit them and start new one after a while. They don’t tell me that the session has been timed out before I start doing something again. There could be at least the heart beat that shuts the application so I know that it logged me out.
Some applications that I use over intranet log me off too. Then they hide the relog button behind few clicks, which is irritating. At least give me the relog page without me having to search for it.
I’d just save all my changes on their documents and tell them to complain to the IT department. The fact that you are making changes and having to exit “fast enough” is absurd.
In general:
The credit card companies and banks pay dearly for fraud. If you walk away it’s unlikely you will have to pay a thing. I’d prefer not to be logged out, but really you should have to deal with whatever they give you, because they are the ones at risk.
Ideally there would be something you could sign that says “I want to be logged in at all times and I’ll be responsible for any and all charges, blah blah”, but I guess there are legal reasons why that’s not possible.
(I also think that stores should be required to check ID for every credit card purchase, and if they don’t, the fraud is their responsibility. But if you want to sign something ahead of time that says “I don’t want to show my ID, and if someone uses my credit card then I’ll be responsible”, then you should be able to do that too.)
@T.E.D.
I’ve actually taken to composing posts in emacs and pasting them in the edit box when I’m ready. I just can’t trust my content to Blizzard’s user interface. But sometimes I forget and loose another 20 minutes of work. Grrrrr.
A good habit to get into before submitting a web form with a lot of content in a text field – a long forum post is a prime example – is to do a Ctrl+A, Ctrl+C on the content field. (Ctrl+A does a Select All; Ctrl+C does a Clipboard Copy. The specific keystrokes may vary if you’re on a platform other than Windows.) Then, if the session has timed out or something else goes wrong, at least you have a copy of the content you entered sitting on your clipboard, which you can save off somewhere locally and/or re-enter on the web form.
http://blog.jonschneider.com/2006/02/tip-ctrla-ctrlc-before-submitting-text.html
Obviously, this tip is only really applicable for “power users”, and it doesn’t help on a web form with many individual fields (as opposed to one primary large field), but I’ve still had it save me from losing content on more than occasion.
And the answer is: Don’t use sessions. When user logs in, store a security token on the server and pass it down to the client (encrypt it, etc). When client posts a new request, pass the token as part of the request (hidden variable on a page). If valid, post the data, if invalid, have use authenticate again and then post the data.
Add logout feature that automatically invalidates the token.
The only thing that should expire is the token.
If not using HTTPS, I can see possibilty the token being “hijacked” by another entity, but maybe check IP Address or location of token when it was validated.
If security is really a concern, then use HTTPS and then no one can see the token.
I did not read all of the comments, but it did occur to me that “locking a workstation” is a pretty nice way to deal with “session timeout” - your applications, data, everything is persisted but completely inaccessbile until you authenticate.
You could do this on a web page to some degree, with an AJAX tool that communicates with the server and simulates session. Whenever user activity is absent for the amount of time, the AJAX tool could throw up a modal login dialog required to unlock the rest of the page.
I see some issues with this… since the server side session would be maintained by the AJAX communication, so more than just form field entries would be preserved, particularly if the AJAX tool is somehow circumvented.
Strange nobody has mentioned rails, so I throw this out there:
http://dev.rubyonrails.org/changeset/6184
“Introduce a cookie-based session store as the Rails default. Sessions typically contain at most a user_id and flash message; both fit within the 4K cookie size limit. A secure hash is included with the cookie to ensure data integrity (a user cannot alter his user_id without knowing the secret key included in the hash). If you have more than 4K of session data or don’t want your data to be visible to the user, pick another session store. Cookie-based sessions are dramatically faster than the alternatives.”
I have been timed out by Verizon using e-mail. Why am I not given a clue like 1 min. left ). To loose a letter I have typed carefully, is not funny or customer friendly. At the time of installation of service I was not told about time-out nor was I given a term of service with such info. If Bell telephone in 1948 could tell a long distance customer ther was 1 min. left on a 3 min. call surley someone can come up with a notice to the user. Verizon is not a customer service friendly provider of service. They suck.
I was wandering if it would be possible to create me a simple program to stop my online banking logging me out or do you know of such a program already in existence. Maybe just tell it to activate the browsers refresh button would do fine. I am not a programmer at all yet so i wouldn’t be able to create this myself.
thank you so much in advance
there is nothing worse, than a lazy client complaining that they have to click the mouse button again.
Put your optical mouse on top of your wrist watch if it has a second hand. Is the mouse moving or what’s underneath it? Won’t time out (if angle and lighting is correct).
Wondering if there is a hack or a way to keep a site going that normally logs you out after 5 min. There has to be a plug-in or something to help with this problem???
Most likely one of those “scroll or click the mouse every so often” devices or programs.
@Collegeboy , Some web browsers have such extensions/add-ons to do this, such as Session Alive for Firefox. I imagine there are others for Chrome, Android and iPhone as well.