Login/Register
Chrome extension to circumvent Idle logout
Asked Answered
javascriptgoogle-chromegoogle-chrome-extensionidle-timer
P

2

6

Some banking and financial sites auto logs out when it thinks you are idle. Is there a way for me to inject a script into the page that can fake that I am not idle?

I tried this: setInterval(() => document.body.click(), 1000 * 60 * 5) // Click every 5 minutes

but it did not work and I still got logged out:

enter image description here

Again, this is not intended for any malicious purpose - I monitor my stock positions on Fidelity by keeping my stock positions screen open in one monitor while I do my work on the other monitor but Fidelity keeps showing an idle warning and logs me out every 30 minutes.

Note, in this particular case, the site is listening to click, touchstart, keydown and scroll events as well document.visibilityState:

enter image description here

Some notes:

  1. I cannot simply refresh the page every x minutes because the page has some UI state (e.g. sort order of my positions in a table) that would get lost

  2. I tried a dumb pyautogui script that moves my mouse and clicks on the page and that works! So why cannot I do this in chrome?

Palladium answered 14/2 at 19:6 Comment(21)
What is click? That's not a built-in browser method, and you only have it defined later down in a different closure. Have you tried inspecting your browser extension and checking the console for errors?Barimah
@sheng: Updated to document.body.click()Palladium
@cssyphus: Sure, but what script to write so that it does not trigger inactive detectionPalladium
Did you reverse engineer how there inactive detection works? Don't think there listening to click events on the body, you'll need to find that out before you could write some js to counter it.Synapse
@0stone0: I don't want to build one for each and try to handle individually what each site does. I was wondering something generic that would work (e.g. somehow trigger focus and then trigger back) that would work no matter what detection mechanism any site is usingPalladium
@0stone0: Anyway I still updated the question with screenshot - this site is listening to click,touchstart,keydown and scroll events.Palladium
Hmm, this is an interesting one, especially with your added code snippet of their activity detection. Have you tried setting a breakpoint and manually running document.body.click() to see if it reaches that line of code you screenshotted? Then there's always the "dumb" option of refreshing the page or navigating back and forth every so often.Barimah
See if there are any useful ideas in this answer: stackoverflow.com/a/77936551Husein
@cssyphus: I tried document.body.dispatchEvent(new Event('click', {bubbles: true})) and I also put a console.log to verify its getting triggered: github.com/pathikrit/chrome_ai/commit/… Still does not workPalladium
@sheng: Its a bit hard since code is obfuscated - anyway my goal is to write something generic for any website and not just for this particular site so I don't want to waste too much time reverse engineering one site. Looking at the source, it does seem they are watching click, scroll events etc. but when I trigger these on document.body it does not prevent logoutPalladium
@wOxxOm Do you have any ideas on this one?Husein
@Palladium My generic suggestion would be to try and redirect the page every so often using query params that are unlikely to trigger any website actions. E.g. example.com?_my-reload-extension=TIMESTAMP or something similar.Barimah
@sheng: You don't need query param just window.location.reload() but this won't work since I would lose state - in this particular case I have my stock positions open sorted by the percent change column. If I refresh the page, it loses that UI state. There must be a way to fake a user presence event no?Palladium
@Palladium Ah, face palm moment on the reload portion, haha. Yes, if Fidelity is simply looking for a window.addEventListener('click') and you are triggering document.body.click() every so often, that should be enough. Your results are telling me there's something else at play. Without looking at Fidelity's code, I can't say why what you're trying isn't working. (Are they using the page visibility API? Are they looking for more than just a click? Mouse move? You'll have to debug this further.)Barimah
Fwiw, I was able to confirm document.body.click() does indeed trigger Fidelity's expandOrRenewSession method by setting a breakpoint. Set a timer for 35 minutes, minimized Chrome, ran your snippet (setInterval(() => document.body.click(), 1000 * 60 * 5)), and sure enough, when I returned I was logged out. Two hunches: (1) Fidelity watches to see if the window gets blurred, or (2) the browser is putting the tab to sleep. Or this method is a total red herring.Barimah
What is the definition on Qe function? Did you try calling the function directly?Ipa
@SalmanA: Again, I don't want to do anything specific to Fidelity - need a generic mechanism.Palladium
@sheng: What happens when you leave the window on top (in my case, I leave it on in another monitor).Palladium
@sheng: I updated the screenshot - looks like code is also looking for document.visibiliyState === 'visible'Palladium
@Palladium Nice find! You might try spoofing visibility state, but you're officially in the wild west, my friend. Good luck! 🫡Barimah
@Palladium If your objective is to keep the page open, you do not have to inject anything, simply make a macro and run it in your os through powershell and let it refresh the page or do any clicks. I can tell you how if this works for youArchimandrite
A
0

As a full-stack programmer, you should know that a web application which does not implement timeouts serverside is going to be very insecure. I.e. to prevent timeouts you need to generate requests which are not cacheable and which hit the application logic (not static content). There is no generic solution to this - you need to study the application to find a URL can hit which will update the session activity without generating any financial transaction.

Alps answered 15/2 at 21:12 Comment(3)
The site does not log me out if I do something (e.g. simply scroll around) on the page. So even if site is doing serverside stuff, I could theoretically mimic interaction on the site and prevent timeout. A really dumb Python program using pyautogui which clicks on the window works! That's why I posted the original question asking if there was a way to do this using a Chrome extension.Palladium
Then either the site is not very secure or it's making requests serverside which you should be able to see in developer tools (or it's doing really dumb stuff with web sockets)Alps
The site is quite secure - its fidelity.com - its watching for mouse, scroll events and makes periodic requests to digital.fidelity.com/prgw/digital/login/session-timeout/… My question is if I simply manually click on the site every 15 minutes it does not log me out or even if I click with a robot clicker. So why can't I do this with a chrome extension.Palladium
H
0

I would inject an iFrame into the page and then keep refreshing the iFrame.

Something like this in jQuery:

$('body').append('<iframe id="pulse" style="width:0;height:0;border:none"></iframe>')

setInterval(()=>{$('#pulse').url = 'http://' + '&blah=' + Math.random()}, 1000*60*5);
Hindi answered 23/2 at 14:26 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.