Wednesday, July 05, 2006

How to implement timeout warnings for session expiration?

Hi everybody!
My bank's Web site has a neat feature: after some period of user inactivity it displays a JavaScript confirmation window asking to click a button to stay connected. If user clicks a button within some short time interval, he/she stays connected. Otherwise, after closing a confirmation window user is forcefully redirected to logout screen.

I think it's a nice user-friendly feature. It's too often when users of my ASP applications enter a bunch of data to a form, then went somewhere, return and click on a "Submit" button just to realize that session was already expired and all data entered was lost.

Question: how to implement that feature (wit ASP or PHP back-ends)?
ASP provides Session_OnEnd event (PHP does not), but it gives no help: I don't think you can refresh a session at the time this event is fired, and you cannot interact with user from inside this event handler.
I can imagine running JavaScript timer on each page. When it decides that session is about to expire, it displays a warning. In case user says he wants to continue, JavaScript connects to a server using XMLHttpRequest and runs some script there, which automatically resets a session expiration time. A response from a server should tell JavaScript to reset a timer.
But what if there are more than one browser window, frame, or iframe open for this site? Especially for multiple windows we need a way for server to initiate counter reset on all client windows when one of them is refreshed. (By the way, it isn't implemented correctly on my bank's website). We could make one more XMLHttpRequest to a server just before displaying a coming expiration warning. It will ask a server for actual expiration time and reset this window's timer as necessary. But for server to know expiration time it must be reset during each page server script running and saved ... in a session variable.
Another solution which comes to mind would be to use server-push technology to reset all necessary client timers. There are some interesting news about it there.

It would be nice to implement timer on a server instead of client JavaScript... but I have no idea of how to do it in ASP or PHP.

What do you think about all that?