I had what I thought might be a good idea for session handling and wanted to get a response and see what people thought and how it might be best implemented.
1.) User logs in, this contacts the server, creates a session object on the server, and the server sends back a session ID and timeout-time.
2.) Ext.JS stores the session id and timeout(CookieProvider?). Every time a click on done on the page it checks against the timeout and every time a server call happens it always returns a new timeout time.
Then, you set a threshold time. If it's within that threshold time you pop open a window asking if they want to stay connected and it updates the server/client time. If it's past the time a modal login box asks them to re-login granting them a new session ID and updated session window.
Now, what i'm really asking is what would be the best way to do this? It seems like it would involve an override to the ajax calls and store loading calls (with a param like checkSession: true that will then always look in the return for a sessionTimeout value), and then attaching an event to the click.
Am I way off base or does this sound like a good way of dealing with the Session Handling problem? I'm not entirely new with Ext.JS but knowing the proper way to start on a project should help me get to the end faster.
1. You could use the Ext.Ajax requestcomplete event to update the timeout (if your server sends a new timeout with every requests).
I handle session timeout like this:
1. User logs into system; session is created. SessionID is stored in cookie; sessionTimeout is stored in JS variable; a 'timeout' is created to log the user out at the sessionTimeout duration.
2. An 'interval' is created to send a "RememberMe" message to the server every minute.
3. All activity (mouse-click or key-stroke) resets the 'timeout.'
4. After no activity for the duration of (sessionTimeout - 30 seconds), a modal dialog is displayed with a 30 second countdown. The user can click the "Keep Working" button or let the application close down.
Notice there is one 'timeout' and one 'interval.'
The interval is used to keep the server's session alive. This is necessary because the application is heavy on data-input. A user could easily spend more than 20 minutes on a single screen without hitting the server. So, it's important to keep the server's session alive. The user would be really ticked off if they just spent 30 minutes on a screen and when they pressed 'Submit,' they found out they had been logged out.
This works well for our applications. The bandwidth savings that ExtJS has given us is much greater than the extra "RememberMe" traffic. However, we are not creating applications with 1000's of concurrent users.
Be careful with how you store the session id on the client. A mistake I commonly see is treating the session id like it is a secure piece of information. It is not. You should protect it as carefully as you would protect the password.
How would you suggest storing this data then? Obviously the Cookie won't work, easy to read, the session variables, still snoopable if someone wants, and in the POST request being the worst idea of all.
Originally Posted by mmusson
I'm not really up on what all today's common web security practices are.
I think harley has a good approach for his application but it doesn't really work all that well for mine. One of the applications are expected to eventually roll out to over 1,000 people and then more looking to the future which could end up being multiple thousands of small packets hitting the server every minute.
For right now i've just set it up as Condor suggested (with a few tweaks). At application load I set a default session length of 10 minutes. I then send a request to the server to get the current session ending time minus 15 minutes (these are really long sessions, I can spare 15 minutes at the end to make sure server sync errors don't happen). I have an Ext.TaskMgr that checks every 10 seconds to see if the current time is past the end session time.
At 5 minutes before the user is going to timeout, I give a modal window allowing them to just click to keep their session. If they do I update the end timer, if they don't at the end I hide the modal window and pop-up a new one saying they've been logged out with the only option being going back to the login screen (this is an application that ties into something else, no direct user/pass combination).
It's not exactly optimal but it's how the company I work for makes me do things. Until they aren't paying the bills I have to do things the wrong way .