Session Timeout Notes

  • Server should use a deterministic method to timeout sessions. cron jobs are good. These should be lightening fast. See other posts in this blog. These timeouts address the situation where the user closes the browser and walks away without logging out.
  • Logging out should force session cleanup. If temporary files are not security risks they can be removed by a different cron job.
  • Temporary file cleanup can be performed less frequently, unless this would compromise sensitive data. cron jobs are good.
  • AJAX controls may fail to execute properly if authentication is required for delivery. Pinging the server to check for session timeouts can limit user frustration when a page doesn’t function due to a session timeout. It may be difficult or prohibitive to attach error trapping to all the AJAX controls in an application. Another options is to cache the control content, but that may be impossible if it is truly dynamic.
  • Ping requests may update the session file timestamp. A ping count can be used on the server side to differentiate between ping requests and user-initiated requests. After a certain number of ping requests, the server can time out the session. AJAX and page (HTML) user-initiated requests should clear the ping count.
  • Users should be alerted gracefully of timeouts.