All geek questions in one place

Client-side event triggering upon session loss

As some of you probably know, Facebook uses a โ€œsystemโ€ where a pop-up is displayed when a user session is lost due to inactivity or closing a remote session. I already saw and read this Node.js question , but found nothing.

I am working on a Canadian computer business, our main product is CRM, and everything is encoded using classic ASP.

I know.

The entire web application works fine, and since we host the site on our servers, you can open ports and use sockets if necessary.

Here is the main question: is there a way (using a javascript library or jQuery plugin, perhaps?) To fire the event on the client side when the session expires , or is it simply lost due to a server reset, for example?

Of course, it would be better to use a different solution than send an AJAX request every second to check if a user session exists. If this can help, at the same time a maximum of about 3,500 users are connected, and our servers can easily handle more traffic. Servers run on Windows Server 2008 along with IIS 7.

Unfortunately, I cannot provide any code blocks or screenshots for this question, since there is nothing to debug.

One idea would be to use an AJAX request for a file that returns nothing and hangs there. If the session is lost (inactivity or server reset), the AJAX request raises an error and the error function will start. Will this be something to consider?

Or otherwise, any other suggestions?

+6
source share
4 answers

One way to do this is to set a client-side timer, set at the same time as the session expiration time.

Suppose your session expires in 20 minutes. When the pages load - a client-side timer set for 20 minutes. If the user performs any interaction with the server (submits a form, etc.), the reset timer. But if nothing happens during these 20 minutes, the timer counts down and you get your event.

+3
source

To achieve this, you can do the following if you have a default session timeout of 20:00 minutes:

  • Make sure each user has a "session cookie" issued by you, and not the default ASP Session cookie.

    dim live_session_id live_session_id = Request.Cookies("livesession") if live_session_id = "" then live_session_id = create_unique_session_id() Response.Cookies("livesession") = live_session_id end if

  • Save this live_session_id in the database along with the expected end date

     call updateSession(live_session_id, dateadd("n", 20, now())) ' = now()+20min

  • Print live_session_id somewhere on your page so you can access it through JS.

  • Deploy a server-side ASP script that checks the current session state for this live_session_id and makes it available in IIS in the DIVFERENT subdomain, so calls to this check do NOT update the ASP session. The script can return the time difference between the session and until the end of the session, so you can display the duration of the session that remains valid.

  • Add AJAX code to invoke a script check every second so you can issue a warning if the session time is running out.

  • To detect IIS reset, you can clear saved sessions in the database by running Application_OnStart in global.asa . This way, your clients will detect the loss of an IIS reset session.

another quick and dirty method

When loading each page, you can cancel javascript from 20:00 minutes and after that display a warning about session loss. This is what my online banking system uses ... :)

+3
source

As far as I understand, the main problem is that the user must fill out huge forms. this may take some time, and during this time the session may expire.

In addition, the session may be terminated by something else (iisreset or so) during the time that the user fills out the form.

in my understanding, you do not need to notify the Client that the session is lost / expired / ended / left. it would be enough just to specify the login form (Ajax or something else) when the user submits the form or the next request (by Ajax, as you mentioned) is made by the client.

the asp script being called checks to see if the session is valid, and if the popup or overlay login for the Ajax user is not displayed, and the form is subsequently submitted.

you could think about the http status of the 401 code or send back to the client and the client and then display the indicated login form in Ajax ...

+1
source

How will the session in your CRM end? Expires after X time, since the last [user] action is pretty arbitrary and will allow you to use ajax to save the session. Let them say that the session is good for 5 minutes as part of the security requirements for top-secret NSA CRA banking with kittens and youtube video . A good session expansion scenario might be the following:

  • a page opens, checking the session for another 5 minutes.
  • a timeout is set using JS to execute an ajax request every 4 minutes.
  • [4 minutes later] a request is made, returning a very easy response.
  • if the answer says that everything is in order, and the session is still valid, assign another ping and continue as usual. If the response returns with an error (the session is invalid on the server due to logging in from another PC, etc.), process it gracefully. Allow users to save what they are working on, not just push them onto the registration screen with an error.
  • The user goes from the page (clicks the link, submits the form), repeats from the very beginning. If the user goes to an external site or closes the browser, his session will be self-destructed in no more than 5 minutes :)

Obviously, you can copy any additional information to the ajax call in step 3 - for example. notifying the user of new items assigned to them in CRM?

Google is your friend, one of the first results gives a good overview of the basics of the approach.

0
source

Source: https://habr.com/ru/post/951327/

More articles:


All Articles