Free Software

Software Engineering with FOSS and Linux

Preventing session expiration with AJAX

Lately I have noticed an increase in issues related to session expiration in web pages. There are two cases that come to mind:

  • Traditional forms that may take the users too long to fill and submit, perhaps because they need to seek data from several sources, such as curriculum info or references.
  • Rich Internet Applications, which may delay to communicate with the server long enough for a session to expire, even though the users act under the delusion of a constant communication and a consistent state of their data.

Increasing the session timeout is only a partial solution, as it affects the server load and doesn’t fully address the problem since users may still face an unexpected session timeout if their behavior diverts from the expected scenarios. A better way is to use a simple AJAX call to periodically renew your session, as long as your web page is still open in the browser. You can do that using the setInterval() JavaScript function or its equivalent in the framework of your choice. With jQuery, you could use something like this:

    $(document).ready( function() {
        var refreshTime = 600000; // in milliseconds, so 10 minutes
        window.setInterval( function() {
            var url = 'http://mysite.mydomain/refreshSessionURL';
            $.get( url );
        }, refreshTime );

The url variable should point to a page that does nothing but refreshing a session. If your application is in PHP, a simple session_start() will do.  If you are using an MVC framework, you could use a controller that renders nothing back and let the framework handle the session renewal.

One possible caveat using this approach is AJAX caching. If it is enabled (some browsers, including IE, enable it by default), it is possible that only your first call will be sent to the server. There are two approaches. The most simple one is to disable AJAX caching completely. In jQuery, this can easily be done using a $.ajaxSetup( {cache:false} ) call. Another possible way is by attaching some random parameter to your session-refreshing URL that will be ignored by the server.

Finally, you should be aware of the security implications of never letting a session to expire. Depending on the requirements of your application, you should consider using a user inactivity test to prevent session renewal or even cause a session to expire.

June 19, 2010 Posted by | Programming, web | , , , , , , | 6 Comments