|
 |
asp_web_howto thread: Forcing a logout after a period of inactivity
Message #1 by CWuertz@i... on Wed, 16 May 2001 08:20:37 -0400
|
|
Christopher
Wuertz To: asp_web_howto@p...
cc:
05/16/01 Subject: Forcing a logout after a period of
08:15 AM inactivity
I need to find a way to monitor how long a user's session is inactive and
then redirect them to a "Sorry, but you've been idle too long...." page and
then execute Session.abandon after X minutes.
Any suggestions????
Chris Wuertz
eBusiness Systems Team
Southern General Financial Group
(770) 952 - 0080 ext. 3305
Message #2 by "TomMallard" <mallard@s...> on Wed, 16 May 2001 08:21:41 -0700
|
|
One method:
This solution uses a database and not IIS session variables.
Login creates a table row for the user's session with a timestamp to use for
timeout. Each page when hit will update the timestamp so activity extends
the timeout. There are several ways of creating a system or sql job to run
every minute which checks for expired sessions and deletes them from the
current user table. The easiest way to do this is to have hidden fields with
your sessionID and user key on each page and to post each page to the next,
no plain vanilla href's, all of them become submits.
The next time they try to access after timeout means the page hit will find
no current user entry for them so that will redirect to the login page. With
form values you can redirect back to the page they want for previously
logged-in users. This also will allow you to add a "session timed out"
message to the login page and redirect to the page they want after they
login again.
Users can deal with a re-login if they get the page they were after, if not,
they will complain.
This system allows you to create UID's for guests to use as usernames, so
anonymous users can use the site according to page permissions you set up
which can be NT groups, etc.
P.S. For security, I separate password transmission from all associations
with username, they are never sent over the wire together SSL or not. A
separate page is used for password with a hash of sessionID which is dropped
after a successful login. Some will say this extra hit isn't needed, but, it
about eliminates the chance of a username/password being sniffed from a
network. Users don't seem to mind because the password page is so small it
loads very fast (nothing but a textbox and button on it).
tom
----- Original Message -----
From: <CWuertz@i...>
To: "ASP Web HowTo" <asp_web_howto@p...>
Sent: Wednesday, May 16, 2001 5:20 AM
Subject: [asp_web_howto] Forcing a logout after a period of inactivity
>
> Christopher
> Wuertz To:
asp_web_howto@p...
> cc:
> 05/16/01 Subject: Forcing a logout
after a period of
> 08:15 AM inactivity
>
>
>
>
>
> I need to find a way to monitor how long a user's session is inactive and
> then redirect them to a "Sorry, but you've been idle too long...." page
and
> then execute Session.abandon after X minutes.
>
>
> Any suggestions????
>
>
>
>
> Chris Wuertz
> eBusiness Systems Team
> Southern General Financial Group
> (770) 952 - 0080 ext. 3305
>
Message #3 by "Ken Schaefer" <ken@a...> on Thu, 17 May 2001 15:14:54 +1000
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
:
:
: I need to find a way to monitor how long a user's session is inactive and
: then redirect them to a "Sorry, but you've been idle too long...." page
and
: then execute Session.abandon after X minutes.
:
:
: Any suggestions????
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<meta http-equiv="refresh" content="600;logout.asp">
will redirect to logout.asp after 600 seconds (10 minutes). You could call
session.abandon in the logout.asp page
Cheers
Ken
|
|
|
View Cart
