I use slidingExpiration session on my web site. And I also added ajax call to check each 15 min session expiration to redirect user on login page. Is it possible to not extend session when this ajax is called?
Answer found. To avoid session expiration extend, mark controller by [SessionState(SessionStateBehavior.Disabled)] attribute
Related
I have an enterprise application deployed on websphere 8.5.5.8, the application web side is composed of a single main page with multiple functionality tabs and every thing inside them uses ajax and iframes. Now, the issue is that I need to redirect the user to the login page immediately when the session expires. I tried to send ajax requests every second from my main page to the server to check for the session validity but the server treats that ajax requests url as secured resource causing the session to be refreshed and never expires. What are the possible work arounds for such scenario?
Yes, call to server will extend the session. As one of the solution, you could use javascript setTimeout method, initialize it to the session expiration time, and reset on your ajax business calls. If user will not do anything, then this timeout will invoke call to the logout page, which will invalidate the session and logout user.
I can redirect a user to home page upon session logout.. this was very simple. However, if an user had logged into the app and had the page open, even on session time out, he is able to perform all the functions(this is bad).
The redirect does not happen until the page is refreshed, or submitted to the server... there are some update functions that could be done by the user even if he is not currently logged in... I have done a lot of research but unable to fix this solution. I also found this thread but it seems to have no proper answer:
Spring Security 3.1 - Automatically redirect to login page when session-timeout occurs
For example, most of the banking sites log you out after a time out.. they do not wait until you come back and then submit a request before you are redirected to home page.
HTTP is stateless. To achieve some form of state the server can maintain a session for each user by giving them a session id on their first request. The user would have to resend that session id on each future request to identify that the other requests happen within the same session.
Because the session is maintained by the server, there is no way to notify the client that the session has timed out.
Instead, if the user makes a new request when the session is timed out, their session ID is no longer good and therefore you can take a particular action like redirect them to login page.
Assuming nothing works out. You may want to consider below mentioned approches:
Approach 1:
Create a cookie on browser and have encrypted timestamp in it that will contain last visited/request timestamp from browser, for each request first get get this cookie value and compare with the pre-defined session out time, if session-out time reached then redirect user to error page else serve the request. On logout delete the cookie.
Why encrypted value for timestamp: if somehow user gets to know about cookie used for session timeout then (s)he can change this value in browser and keep on sending this request.
Approach 2:
You can also achieve this by making an entry in your database for every logged-in user and updating timestamp in this database for each request. For each incoming request get this timestamp from database and compare it with pre-defined value for timeout and handle accordingly. On logout delete the entry.
In both the approaches explicitly perform response.redirect("errorPageUrl");
I don't really deeply understand of the session mechanism but just good enough as a casual user of the technology. I have a page implemented with jQuery ajax request. If I keep refreshing the page at a fast pace it would make the session expired and I have to login again. I would appreciate for an explanation of the phenomenon and solution to prevent that.
Sessions consists in to main parameters
Cookies and Server-side session data
In a very little explanation
cookies contains session ID, that references to the server to get session data. Server then fetchs data with the session ID and matches it inside a file with various parameters.
Your problem must be session timeout, it depends mainly on session timeout parameter configured.
Your ajax requests only works if the session timeout hasnt expired thats why it prompts you for login.
You can solve this by defining a service that does not require authentication, you can define your functions on a specific file with no session initialization so the request can bypass the security session, and your other pages that need security are secured at the same time. Like amazon mechanism.
How to continue the session id if cookies is disabled on clients browser?
we can continue in core as session_id($_GET['session_id']). But how can we do in Codeigniter?
If the cookies are not enabled then you can go by the GET and POST parameters, but they are hardly recommended.
In the session class of codeigniter the value of the session id is encrypted and then store in the cookies. using session id directly by GET and POST you will be opening doors to session fixation using ini_set('session.use_only_cookies', true).
In codeigniter also you can pass the value in the same manner either add in the url as a parameter. /controller/method/parameter
go through the below articles:-
Codeigniter's session data, are they just cookies?
http://jctweb.net/2011/09/20/sessions-without-cookies-in-codeigniter/
I need to create and action that returns whether or not the user's session has expired. The problem is that requesting any action will refresh the user's session timeout. So, I need this action to NOT refresh the timeout.
Is there some way to make a controller action that has access to the session, but does not refresh the timeout?
Figured it out. We built an http module to read the forms auth ticket which could be accessed at site.com/.formsauthticket. By handling it at this level, it did not trigger the session at all. I'm afraid I cannot provide code here but we set the module to return the number of milliseconds till the session expired. We then used this number to make some client-side timers.
We based our solution on an answer to a different question found here. Hope this helps someone else!