I am implementing Identityserver where sliding expiration value is set at client side. So is it secure?
Does asp.net session timeout work in similar way? i.e. client side comparison?
Just need theory about whether session timeout is client side thing or server side thing.
What exactly happens when session timeout. Cookie clear or any server value clear?
Sliding expiration means that each time the session is accessed it will reset the timer back to 20 minutes again.
Also, by default sliding expiration is used so you don't need to write any code.
If the user does not access the session for the timeout period then the session will expire. If the user accesses the session at(for instance) 3:01 then the session will expire at 3:21. If the user accesses the session at 3:10 then the session will then expire at 3:30. It is always 20 minutes after the user last accessed the session (that is the meaning of sliding expiration). If the user does not access the session in that 20 minutes then the session will expire.
Hope the answer gets you a glimpse of sliding expiration...
Related
I have a method in controller, Is it possible to run this method without interference to session expire time ?
I'm checking something by ajax request every 5min, but in this case session never expire.
Session expire time is 30min.
In future I will be able to use websockets, but now I need solution in easy way.
You can track user's idle time with JQuery via some timer, then send ajax request to expire session.
Detect user idle time with JQuery
In a web app am developing using express.js am having a problem expiring sessions when a user has not been active for more than 10 minutes. Am using connect-couchdb as the session store.
I tried setting the req.session.cookie.maxAge = 600000. But this causes the session to expire 10 mins after logging in irrespective of user activity. My understanding of the documentation is that req.session.touch() will be called automatically by the connect middleware and hence maxAge (and the expires date) should get refreshed so it lasts another 10 mins, but it is not happening!!
I also tried setting maxAge to 600000 on each request and calling req.session.save() but even then there is no effect.
What am I doing wrong?
You are not doing anything wrong---this is a bug in Connect. The session cookie gets updated in the server, but not pushed to the client, and so the client keeps trying to use the old cookie, which will expire sooner than you want.
More details and discussion here.
In my webappalication, i would show a popin if the session was inactive during 30 minutes.
Have you any idea about how to do that with SpringMVC?
Thank you
I would do this as follows:
Configure your container to expire sessions after 30mins
When a user makes an initial request and a new session is created store a cookie which contains the session id.
On subsequent requests check the session id on the request against the session id stored in the cookie, if they're different the user's previous session has expired and you should show a pop-up.
One more thing to note, ensure that you set the max age of the cookie to be negative. This ensures that the cookie is deleted when the browser is closed. If you don't do this, the next time the user opens their browser and goes to your site they will see the pop-up.
In my web application(jsp/servlet) there is a web page which create Ajax request periodically to grab the latest data from the server.This page is the main page which is always open once user log in to the system while other pages open in new browser windows(due to user events).
I have to invalidate the user session which idle for more than 30 minutes. For that I use Tomcat session timeout feature. But the thing is most of the time users session which are idle for 30 min are not invalidated.
But some time user sessions are invalidated by Tomcat after 30 min. I think this is because the main page send Ajax request periodically without idling the session.
I want to know that is Tomcat can't identified the auto generated request from user event and invalidate session properly.Please give an ideas on this,it will be very helpful for me.
Dinesh
I don't think you have a choice here - if Tomcat identifies and ignores the AJAX request, you'll lose the functionality it provides for you
I am working on a e-commerce project using the Auth Component for authentication and Sessions Component for storing my cart.
The problem is that the session gets cleared abruptly after a while even when I am actively browsing the site. I know this should be because of the Session timeout but just increasing the timeout value is not the solution I am looking for.
I want the session to expire only when a user closes his browser. Can this be achieved?
AFAIK all you can do is to set a session timeout variable far into the future. Sessions are automatically cleared when the browser is closed (unless you set a Remember Me type cookie). Setting it far into the future will effectively accomplish what you need to do.
How long into your session is it timing out? It should only timeout when your user is inactive for a period of time. If it times out in-between requests, and you know the timeout time has not elapsed, you have some other issues going on. What are the settings in your core.php file regarding your security levels and session timeouts?