Auto Sign out

By: Chris Dunn

This functionality seems to be more prominent on financial websites than others, but something all sites should consider.  Even though we automatically expire someones session or login, sensitive information can still exist on the page. Unless the page makes a call to the server, the page won't know the session has expired.  So, if you see auto-sign out show up in your specs, here's how you do it.

Setup

The following javascript code needs to function in cooperation with your server authentication code which creates the authentication cookie. The auto sign-out actually occurs on the server with your timeout.  This is not a replacement for that code. The expiration of the cookie is still coded server side. 

All we are doing here is literally refreshing the page after x number of minutes if the user doesn't do anything. If the user moves a mouse, clicks, scrolls or presses a key, the timer resets. We are checking for user activity to reset the timer. If nothing resets the timer, then after x minutes, the page refreshes.

This will trigger server side authentication check which handles the sign-in redirect from there. Be aware that the window.onload = resetTimeout; is important as it triggers the initial timer.

function inactiveTimeout() {
    var tmr;

    window.onmousemove = resetTimeout;
    window.onmousedown = resetTimeout;
    window.onclick = resetTimeout;
    window.onscroll = resetTimeout;
    window.onkeypress = resetTimeout;
    window.onload = resetTimeout;

   function refresh() {
          window.location = self.location.href;
   }

   function resetTimeout() {
        clearTimeout(tmr);
       tmr = setTimeout(refresh, 30000);
       
    }
}
inactiveTimeout();

There's really not a lot of magic going on here. We are simply refreshing the page, if the user is not active in the browser.  The refresh triggers the normal request life cycle which should clear the sensitive information from the page and redirect to the login page.