Handling Session timeout on Client side
https://stackoverflow.com/questions/9993465
-
28-05-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
The scenario is that a user should get notification (say via typical JS alert or redirect etc) when her session is about to be expired. Couple of ways this can be done is
- Using javascript time out function as explained here.
- Using Server Push using WebSockets which off course would need HTML5 support.
What are the relative merits/demerits of these two approaches? Apart from these, are there any other ways this can be achieved (some standard library etc). My back end is Java EE (Struts+Spring).
Solution
By Using javascript timeout function, you need to ensure that if the user is making any AJAX calls your function should be reset as it should be treated as user activity.
If the using server push using websockets you may not be able to target users with not so latest browsers. You may have to use some signalling frameworks and even change your backend stack. (I can think of socket.io & SignalR as of now)
Both the approaches are not going degrade gracefully. So, IMO javascript option sounds better as it can target wider audience and that would require you to address some edge case scenarios. If I had a choice I would not implement this feature at all. But it hardly happens that way.
UPDATE: Here is another approach I could think of.
Every time a page gets served I would sent a Cookie which can be accessed in the client side which would contain the UTC time at which the session will timeout. In my code I would place a setInterval which would read the value and compare the local time with UTC and if it close, would display a popup window saying the timeout will happen in X seconds etc.
This again doesn't degrade gracefully and relies on the time of the client machine. So, if it is wrong this functionality will not work reliably.
OTHER TIPS
What about creating a filter where you set a cookie with the number of seconds left until timeout?
So, you will always set that value to (session-config->session-timeout) * 60.
In the front side, using setInterval, you would update that cookie value by subtracting the interval to the current cookie value, that way you don't depend on time configuration.
