Login/Register
Is it safe to keep session alive using ajax request?
Asked Answered
Solved sessionmaster-pageskeep-alive
T

2

8

I recently implemented a small snippet of javascript in my Master page that does an ajax request every 30 seconds to keep session alive. I know there are several questions regarding keep alive but I haven't really been able to find answers to these specific questions.

My questions are:

  1. Is it safe to do this? As in, will this have any adverse effects if there are many concurrent users/connections?

  2. Can I implement an extended timeout using this method or will I have to use cookies?

  3. I don't know much about cookies, but are these relatively acceptable to use now? or will there be users who don't allow them - will they be able to use my site?

Thanks everybody!

Trisaccharide answered 1/3, 2012 at 23:56 Comment(0)
D
7
  1. Yes it's safe. As far as load, that's up to your hardware and how you write it, but it has no worse effect than users refreshing the page (arguably less considering the overhead of an AJAX call over a standard page load).
  2. You can adjust the timeout in the web.config if that's what you're asking...
  3. That's a personal call on you. Cookies have their purpose, and I find them acceptable as long as it's your domain, but do realize some people disable them and so it comes down to having a fall-back.

Some things to keep in mind though:

  1. Banks use the same methodology to keep your session going while you're checking your finances, but usually offer a popup just before to ask if you'd like to continue.
  2. Keeping a user forcefully logged in for longer than a normal duration can be a security risk (picture someone logging in at a library or school computer and leaving their desk--should that session continue on in to the next day [or longer]?)
Doorjamb answered 2/3, 2012 at 0:3 Comment(2)
Thanks for the info. The user isn't sharing any sensitive data, so I think I will just keep refreshing session. I'm thinking I will set the timeout to about a minute longer than my refreshing frequency (so that if browser is closed the session will end as quick as possible) - but that poses another question... how frequently do you think I can refresh the session without it being TOO frequently?Trisaccharide
@Shannon: Most Sessions that aren't personal security related (that I've seen) are around the 20-30 minute mark. Banking websites are probably around 3-5 minutes. I would stick as close to the actual expiration as possible, as it's unnecessary load to poll any more frequent.Doorjamb
M
0

about the cookies, it is very acceptable to use. almost all sites saving cookies on the users, they have to. there are users that dont allow them but the proggramer can overcome it, by changing the security of the browser (There's a constitutional problem in this case). you can see if the site saving cookie in your browser.

Moose answered 2/3, 2012 at 0:2 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.