What is the best way to protect user inputs (not yet sent) from the session timeout?

Question

What is the best way to protect user inputs (not yet sent) from the session timeout?

I develop and maintain small intranet web applications (JSP and Resin).

Some users take so long to fill out forms, when they submit, they lose all their input due to the session timeout.

I have currently extended the session timeout to 30 minutes and display a countdown to the session timeout at the top of the page, but, I think there should be better ways to protect user inputs.

What are the best practices?

Addendum Our users make several reports using a web application, and the entire contents of each report is stored in a JavaBean stored in the session.

As suggested by some, Ajax or iframe should perform a quick fix.

Now I know that it’s better not to abuse the session with heavy objects, but I'm not sure how best to reorganize the current mess. Some people have suggested making the web application standstill. Any refactoring suggestions are welcome.

+4

java web-applications

ulm Oct 31 '08 at 12:45

source share

9 answers

Musigenesis · Answer 1 · 2008-10-31T01:20:25+0000

This may or may not be the case with your map, but I think that if your page just uses AJAX to call the server every five minutes (or something else), then this will support your user session. You do not even need to do partial preservation of your form in this way.

Jere.jones · Answer 2 · 2008-10-31T01:22:33+0000

Make your applications standstill on the server side. You can enable any state that you want to save in hidden input fields. If security is a problem, you can encrypt the data before putting it in the field.

An example would be something like this in your form:

<input type="hidden" name="user" value="bob" /> <input type="hidden" name="currentRecordId" value="2345" /> <input type="hidden" name="otherStuff" value="whocares" />

The main advantage of this is that your web application can do whatever it takes for this page. He does not need session variables, because everything he needs is on the page he just received. Now it does not matter how much time they take, because the session does not expire.

The second advantage is that it reduces the load on your server, since it does not periodically poll your users.

cofiem · Answer 3 · 2008-10-31T00:55:53+0000

I only recently needed to find solutions to this problem.

The most promising area was the use of AJAX for periodically checking data input and sending it to the server. If the browsers running in your company support AJAX, this is one of the possibilities.

Another possible solution would be to split the forms up so that each section is small enough to be populated and submitted within the session timeout.

Nemi · Answer 4 · 2008-10-31T01:41:07+0000

If you are creating an application for a limited number of users (for example, company intranets) and you do not want people to keep logging all day or to lose their input when sitting for long periods of time, you can keep sessions unlimitedly open only to people that have their browser open for your website without a session timeout. As soon as they close the website, the session will end as usual.

What you need to do is add a hidden iframe somewhere on the page. Let the iframe point to a simple html document served by your application server, which has a meta tag in it to update every 29 minutes (for a session that expires after 30 minutes). Thus, while a person has your web page open, their session will not expire. However, when they move from your site, it expires as usual. You get unlimited session durations without compromising session results that get out of hand.

I successfully deployed this solution in a corporate environment at my previous place of work. The web application replaced the old green screen application, and it was unacceptable for them to go to lunch and, for example, expire the application.

Let me know if you need more examples.

Jack leow · Answer 5 · 2008-10-31T02:03:52+0000

I would recommend looking for a stateless alternative (one that does not rely on session attributes) on what you are doing.

We can help more if we find out what exactly you rely on for sessions.

Jasper beckers · Answer 6 · 2008-10-31T00:57:05+0000

You can store data in a cookie every once in a while, use Gears as a temporary storage (if the data is complex or requires more than 4K storage) or send temporary data to the server every second using AJAX.

Nrj · Answer 7 · 2008-10-31T08:32:14+0000

Mmm ..

How to display an invitation to the user about a session that is expiring is to save the data (say, 5 minutes before) so that they can save the data. Thus, they know what they need to save, and if the session really needs to be expired, it will be done later if they do not respond.

This is an alternative if you want to avoid continuous ping on the server using AJAX.

Steve McLeod · Answer 8 · 2008-10-31T09:05:08+0000

Do not use a session object. This is the cause of all kinds of usability problems - as you discover.

This is my golden rule of web application development: do not use a session.

Having said that, use it sparingly for things that simply cannot be done otherwise.

mangas · Answer 9 · 2015-11-09T10:54:08+0000

I would call "after checking Ajax that the session has expired" of a popup form in a modal window that the user must log into again, this popup overlay will be on top of the current page / form. This way data will not be lost.

PN Update the session token if U has one ... in a hidden field.

What is the best way to protect user inputs (not yet sent) from the session timeout?

More articles: