I'm using devise timeout table to expire a session, however the redirect only happens after a page refresh or change. What is a good solution to redirect to sign in once the session expires?
You need to use some client side code to keep track. If the page is static, you can just do it in javascript:
// Redirect 15 minutes after page loads.
setTimeout(function(){ window.location.href="the_new_place"; }, 1000 * 60 * 15);
If your page has some user controls and you want to keep the session alive while user is editing something, check out https://github.com/epigenesys/session-timeout-prompter.
ActionCable is another possibility but that's perhaps a little heavy-handed for this purpose.
Related
I have an ASP.NET MVC application. I have the following:
<sessionState timeout="60" />
My question is that if a user goes on a page and takes more than 60 minutes to fill out all the fields on the page, will that constitute a timeout? What constitutes a timeout? Does a user need to go through different pages so timeout will not happen?
Simple answer is - Yes, a person taking more than the timeout (60 minutes in your example) on the same page would cause a timeout.
Session is server side, so if no requests are sent to the server for the timeout period - the session will expire and all the saved session variables will be lost.
To complicate things a little bit, if your page is making AJAX calls to the server - those could keep the session alive without navigating to a different page.
session data is stored for 60 minutes from the last request. So, if you access a page and something is stored as session data for you, it will be automatically removed after 60 minutes unless you have made a new request within this time period.
you shouldn't try to use sessions to store data for long periods of time.
There's one ASP.NET MVC page that is automatically refreshed every 2 minutes using the meta refresh tag. All other pages in the application does not have this auto refresh. The application uses SQL server sesssion state and timeout is set to 20 minutes. If user is on any page, it times out exactly after 20 minutes but if the user is on that specific page, where the auto refresh is set to every 2 minutes, it does not timeout after 20 minutes. Is there a way to auto refresh the page and also timeout the user after 20 minutes i.e basically being able to differentiate between user-driven action and system driven auto refresh?
No. Session timeouts are sliding. Every request the user makes to the website resets the timeout. There's no way around that.
I am currently building a rails app, using the devise gem for authentication.
Currently in the app there is only client-side timeout functionality implemented, which I don't feel is a good final solution. Because it doesn't cover the case when a user puts their computer to sleep just for 1 example.
So I wanted to implement the timeout module in devise, however there are several issues I am facing. The issues are because with server-side timeout the user needs to navigate to a different page before they are redirected to the sign in page. And there are a lot of interactions in my app when a user will open a modal in the UI, which will trigger an AJAX call (which will fail if they have been timed out on the server-side).
Here are 2 approaches I have thought of, but I don't see them as good solutions so maybe someone can build on one of these approaches or help point me in a different direction:
1.) In my AJAX requests, add a handler inside the 'error' callback that will tell the user to refresh the page or go to the login page if the error callback returns a 401 Unauthorized response.
Cons: There are a lot of these ajax requests in the app, so there would be a lot of repetitive code and I see this as being difficult to maintain.
2.) Add a click handler to the body and every time it is triggered, send a request to the backend to validate if the user is still logged in. If they aren't redirect the user to the login page.
Cons: Performance issues
Any advice would be appreciated. Thanks.
You can add this from server site.
:expire_after: 120.minute
in your initializers/session_store.rb, Below example.
Tastebook::Application.config.session_store :cookie_store,
key: '_tastebook_app_session',
expire_after: 120.minute
I spoke with another developer who helped me come up with a solution to this issue.
With the client-side timeout, I had a countdown timer starting at 15 minutes, which obviously only works if the user's computer is not asleep.
So instead of a countdown timer, I create a new date object, setting the time to 15 minutes in the future (UTC). And then I set an interval which compares the current datetime (UTC) with the future date object and if it has been reach or surpassed it renders a message with a link to the sign in page. When this message is rendered is also makes a call to the backend to kill the user session to cover the case where the user tries to refresh their browser, which would then result in them being sent back to the login page.
How can i expire a session when the system sits idle for some time. After completing that time it should be redirected to login page. I need to do this controller side. I am using asp.net mvc3 application.
The session will expire on the server when it times out.
If you want the browser to redirect at the same time you'd have to have a counter on the client, in JavaScript, which on 0 would do a redirect to your login page.
The controller cannot force the redirect of a browser without some action from the client. You could also look at having some kind of persistant connection like SignalR but that might be more than you need.
Another solution would be to have a refresh header like in this answer
ASP.NET Push Redirect on Session Timeout
I have an ASP.NET MVC 3 application. The site involves people writing lengthy responses using a textarea in a web form. Occasionally, users are complaining that they are getting redirected to the log in form after they post their data. I am not sure exactly why they are getting logged out because the users do not typically provide enough information on their errors. I believe it is due either to a session time out or the application has been restarted for some reason. This is on a shared web hosting site and it does not have its own app pool.
In any case, regardless of the reason, I would like to capture that post data and save it to a db or text file. How can I get the post data and save it while the controller redirects the user to the login screen.
I know the long term plan would be to identify why the timeout is occurring. But for now I want to be able to grab the post data and recover it at a later time.
First, in order to avoid timeouts, I would recommend using client-side heartbeat solution (like http://plugins.jquery.com/project/Heartbeat)
Second, assuming that you are using forms authentication, in order to save posted data, when Forms Authorization Module is redirecting your users, you will need to intercept redirects in EndRequest HttpApplication event handler in Global.asax or your own module.
The way to intercept those requests is not that straightforward, since on "EndRequest" pipeline step you will see 302 HTTP status code (redirect instruction), not 401 (Unauthorized error). So you may check if request is not authenticated (HttpContext.User.Identity.IsAuthenticated) and request is redirected - in this case you may save what you see in the request.
Otherwise you would need to disable forms authentication and use some solution, which is closer to ASP.NET MVC.
one solution can be to put a javasscript timer which keeps on hitting the server after specified interval to keep session alive until u figure out the cause of session time out (only i its the session timeout problem)
If you want to stop the session from timing out, you can add a hidden iframe on the page. For example, create a new page called KeepSessionAlive and do this:
<meta http-equiv="refresh" content="600">
where content = seconds.
I don't know about MVC 3, but the way you can get and store the post values is to catch them before redirecting the user to the Login page.