Our application has a 30 min auto-expiring session - the session is renewed on server communication. What is the best way to communicate an expiring session to the user? My initial thought is a to display a modal warning shortly before expiration with "your session is about to expire [continue]" (better wording?) which allows the user to continue (communicating in the background to renew the session). • Is it ever appropriate to display a session timer to the user? • Is it ever appropriate to expire a session without the user having an opportunity to extend it? • Do users need to be aware of when the session will expire as long as they will have the option to extend it?For more understanding : click
<%@ page import = "com.kartik.config.SessionUtil" %>
<html>
<head>
<script type="text/javascript">
/////////////////////////////////////////////////////////////////////////////
//////////////////Below code for Right click disable/////////////////////////
////////////////////////////////////////////////////////////////////////////
window.onload = function() {
document.addEventListener("contextmenu", function(e){
e.preventDefault();
}, false);
document.addEventListener("keydown", function(e) {
//document.onkeydown = function(e) {
// "I" key
if (e.ctrlKey && e.shiftKey && e.keyCode == 73) {
disabledEvent(e);
}
// "J" key
if (e.ctrlKey && e.shiftKey && e.keyCode == 74) {
disabledEvent(e);
}
// "S" key + macOS
if (e.keyCode == 83 && (navigator.platform.match("Mac") ? e.metaKey : e.ctrlKey)) {
disabledEvent(e);
}
// "U" key
if (e.ctrlKey && e.keyCode == 85) {
disabledEvent(e);
}
// "F12" key
if (event.keyCode == 123) {
disabledEvent(e);
}
}, false);
function disabledEvent(e){
if (e.stopPropagation){
e.stopPropagation();
} else if (window.event){
window.event.cancelBubble = true;
}
e.preventDefault();
return false;
}
};
/////////////////////////////////////////////////////////////////////////////
//////////////////Below code for Inactivity functions below are used to //////
/////////////////automatically redirect the page to the /////////////////////
/////////////////logoff script when the user's session is up.////////////////
////////////////////////////////////////////////////////////////////////////
var secondsPassed = 0;
function ShowTimePassed()
{
var minutesBeforeLoggedOut = 1;//before one minute one confirm message should be display
var minutesToWarning=document.form.sessionTime.value;//get the time for in-activity time
secondsPassed+=1;
if(minutesBeforeLoggedOut == -1)
{
if(secondsPassed == 30)
{
secondsPassed = 0;
}
}
else{
if(secondsPassed ==minutesToWarning*60)
{
var answer;
var currentTime = new Date();
var expiredTime = new Date();
var minutes = expiredTime.getMinutes();
minutes+=minutesBeforeLoggedOut;
expiredTime.setMinutes(minutes);
if(minutesBeforeLoggedOut==1)
answer = confirm("It is now "+ currentTime.toLocaleTimeString()+" You have "+minutesBeforeLoggedOut+" minute left before getting logged out. Do you want to extend the session?");
if(answer){
secondsPassed = 0;
currentTime = new Date();
if(currentTime>expiredTime){
alert("You've exceeded the time needed to extend the session. You will be logged out now");
var path='<%= request.getContextPath() %>';
var url=path+"/logout.do";
window.top.location=url;
//window.location=url;
}
}
}
}
}
window.setInterval('ShowTimePassed()', 1000);
</script>
</head>
<body>
<%
String url = System.getProperty("configMaintenanceOption");
if(url !=null && url.equalsIgnoreCase("TRUE"))
{
%>
<body onLoad="ShowTimePassed();" onKeyPress="ShowTimePassed();" onmousemove="ShowTimePassed();" onclick="ShowTimePassed();" onscroll="ShowTimePassed();" oncontextmenu="return false;">
<form name="form">
<img src="<%= request.getContextPath() %>/images/headergrey.gif" />
<input type=hidden id="sessionTime" name="sessionTime" value="<%=SessionUtil.SESSION_TIME_OUT%>">
</form>
</body>
<%}else{%>
<body oncontextmenu="return false;">
<form name="form">
<img src="<%= request.getContextPath() %>/images/headergrey.gif" />
<input type=hidden id="sessionTime" name="sessionTime" value="<%=SessionUtil.SESSION_TIME_OUT%>">
</form>
</body>
<%}%>
</body>
</html>
I am Kartik Chandra Mandal from Bangalore, India. Working as software engineer in Java technology. Have good knowledge of OWASP and CSRF in security for applications and it's implementation in Java technology.