Does anyone know a technique for forcing a web user to re-login after a given idle time? We have a massive web database program and need pretty tight user security.
@JiggyJayJan 16.2005 — #To my knowledge there is no "secure" way to do this with javascript native. Session handling is usually handled by the web server software such as ASP/PHP with the use of cookies or some form of id given to the browser. The problem with trying to handle idle time with Javascript is that it runs on the client in the browser and can be changed by the user. The user can nullify your settimeout call or Interval or modify the expiration timing. I would highly suggest using the ASP/PHP or whatever server side scripting mechanism to handle sessions.
@senshiJan 16.2005 — #You could always use session cookies.
Your script checks that a cookie is present, if not, login and make a new one, if they wont allow session cookies then dont allow them on your system, I have no issues on using session cookies despite that the fact remains that cookies are abused by the advertizing industry and spyware vendors also do likewise and abuse cookies. So its understandable if people dont like them enabled but that will by far be the minority andusing them in general should not represent any problems.
So to recap, if no cookie then login, if they expire the cookie then a periodic check to see if a cookie is present per page turn will check to see if the cookie expired or expired by other means, etc...
Seems fairly logical way to do it, if you have that many users then you need to off load that side of things to the users browser.