we have implemented a system similar to that described in this other SO post . In principle, if the user does nothing for 14 minutes, we suggest that they log out. If they click on "keep me logged in," we make an ajax request to keep their session alive, otherwise they will be redirected to the exit page in a minute.
It works very well and is built into similar systems used on sites such as mint.com and bankofamerica.com. The only problem is that users of our application tend to have several tabs open to access different data. Therefore, the problem is that they can actively work on one tab, but then the other tab will fail and exit the system. This causes a sudden session timeout for the user when they did not expect this. btw, mint.com has the same problem.
So I was wondering if anyone has any ideas on how to deal with this?
I have one idea, each request can set the cookie "last active time". After automatically logging out, the server can check this last active time, and if it is relatively recent, do not delete them. Of course, manual exit will ignore this cookie, so if the user wants to log out, he can do this at any time. However, I am afraid that this may pose some kind of security risk that I do not see now. Thoughts?
source share