Session timeout on multiple tabs

Question

I am using Spring acegi security for single sign on on multiple applications. I need to extend session timeout at client side if user writing something on browser too. If user opended multiple sessions or browsers then i need to consider active session on all the sessions he opened. If he is active then i should not log off him eventhough he is inactive in another sessions. Please suggest me any ideas how to track and know at the client side too.

Any idea is greatly appreaciated. Thank you.

Running application app1 in two tabs say tab1 and tab2.Timeout is 10 minutes. So we implemented timeout functionalit in java script which is at client side. This code gives Confirm box after 10 min. If user says continue, we are extending the session by firing the alive url. This working if application running in a single tab. Same applciation app1 open in multiple tabs say tab1,tab2. Here applicaiton app1 opened in two tabs but single session. We are woking the application which is opened in tab2 and not using applciation in tab1. So application in tab1 is inactive for 10 min.then application in tab1 giving confirm box and we dont answer to that confirm box tab2 will make applciation to log out. So what is the solution for not making logout as we are working application on Tab2. Any ideas? How to track whether application in active in other tabs?

Answer 1

You should be able to store a lastActivity timestamp in localStorage

1. User activity in any tab updates the lastActivity timestamp
2. Whenever the timer expires in any tab it should check the lastActivity value before prompting the user. If lastActivity is older than timeout, prompt the user. If not, adjust the remaining time to show prompt

Answer 2

Modified code in javascript to fire ajax request to server and finding the latest activity. If latest activity is less than 10 mins then there is no logout.

Answer 3

The simplest thing would be to associate the sign-in session with a shared domain. Say you have app1.domain.com, app2.domain.com, app3.domain.com, BUT you have the SSO take place on domain.com, and they all share that session cookie. This is just a matter of setting the domain on the session cookie-- I believe you can do this in the configuration. Anyway, this pretty easy to do, so if this works with your problem, go for it. (Maybe there's some tricky way to do this without that domain hierarchy, but I'm not sure what it is.)

If that isn't workable, you may need a different way to store sessions. My first thought would be to put the sessions in the database. With these, you can synchronize and centrally manage the timeouts. This may require a little bit of custom code-- but it shouldn't be that much.

Not sure this is applicable, but I wrote my thoughts on implementing timeout on the client side as well.

Answer 4

This is not straigt forword answer. (Since I do not think there is a solution for that)

you could try to fire a pixel(*) between the application and by that extends the session time.
lets say that you have:
app1, app2, app3

the user logged in to app1 and app2 and he is working only on app1. if you fire a pixel from his browser to app2 every http request he made on app1, he suppose to be alive on app 2 as well.
I think that if you fire the pixel every 2 minutes between the applications app1,2 and 3 you can save the session alive between the apps.

I have done this twick in PHP application, it wans'nt so easy, but it is doable.

*pixel - it is a hidden http request that runs a script in the serverside. can do it via ajax, img, script src="", iframe and more.