ASP.Net - ask password after 5 minute inactivity

Posted on 2007-10-18
Last Modified: 2013-11-26
We have a Visual studio 2003 web application created using VB.Net, ASP.Net & Crystal reports.
There are about 20 aspx pages in the application.
We would like to include a feature in the application so that if the user is inactive for 5 minutes(no keyboard or mouse movements), a security messagebox would pop-up and the user has to re-enter the password to continue. once the user enters the password he should be able to continue on the webpage from where he left off before 5 minutes.

I am trying to figure out the best way to make this happen.I know I can track the 5 minute inactivity using Javascript. My question is what should my design be?

1). A javascript pop up prompt messagebox?
2). Should I redirect the user to the login page? in that case how do I maintain the session? there are a lot of textboxes in the page, would it be better to store the values of the textboxes in a temporary table in sql server database before asking for password? and once the user enters the password I can reload the text boxes from the temporary table.  

please advise with your suggestions/recommendations.

Thanking you in anticipation.

Question by:vdesai_8
    LVL 12

    Expert Comment

    What are you trying to accomplish by ending the session after 5 minutes if they may be completing the form? Securing the data?  How long will you keep the data for?
    LVL 16

    Accepted Solution

    Assuming you can write javascript that would effectivly mange to track the period of inactivity, I leave this to you as you seem to indicate you have an idea of how you would do this.

    1) if you do this you will need to store there password in the client page, not normally recomended practice, unless you save a hash in the page and then process the value they have entered in clear to generate a hash and compare them? Still this is not a solution I would be comfortable with.

    2)This sounds a little complicated to engineer. I think, on timeout you will have to save the page to a backend data source and then as you say redirect to a login page. You then, upon a successfull login redirect to the previous page which can preload the boxes back with the data. Although a solution  that sounds possible I'm just as uncomfortable with this solution as the first!

    I've said I wouldn't be happy with either, and I've not got an alternative for you, but it is my opinion that if this is a mandatory requirement you might like to consider an alternative implimentation technology as the stateless design of http is not suited to your requirements.

    Author Comment

    Thanks Gurus, for your replies.

    Lunadl - The data that the users are working on in the web application is sensitive data & should not be available to public. hence if the user walks away from desk for 5 minutes we would like the Security pop up message box to appear so that unauthorized users cannot see the data.

    If the user is inactive for 20 minutes then the session would end & all the data on the form maybe wiped out. This is taken care from the web.config file.

    McExp - you are right that the stateless design of http may not be suited for this requirement, but I am trying to figure out what could be an alternative approach? It would be fine if its a messagebox, screensaver or an aspx form way of approaching it, as long as it serves the purpose.

    Please help about how can this be accomplished.

    LVL 12

    Expert Comment

    Can you store the content of the fields in a database? Using AJAX you would be able to save the state of the form at intervals as well as provide a solution for prompting the user. It would increase the work for maintainance every time you add a field to your secure pages you would need to update your DB.
    LVL 16

    Expert Comment

    What else is being done on the computer?  do you have control of the configuration? you touched on the idea of screensaver is this along with user education not the correct solution? You can enforce the settings of the screensaver via a domain policy.

    Now that you state the form contents is sensitve surely the msg box idea is a non starter becuse even though the (unautorised) user won't be able to do anything they will still be able to see the data.
    LVL 12

    Expert Comment

    i agree with McExp that a message box solution is the wrong way to prompt the user to reauthenticate. The solution will lie in redirecting or a client-based software and settings.

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    Join & Write a Comment

          Install BugTracker on Windows 2008 server Step 1:  Install windows 2008 server 32 bit OS and configure IIS. Step 2:  Install SQL server ( SQL server 2005 or SQL server 2005 Express edition. The installer for 2008  version isn’t very f…
    Using Quotation Marks in PHP This question ( seems to come up a lot for developers who are new to PHP.  And it got me thinking, "How can we explain the rule… provides powerful tools for surveying targeted groups, and utilizing data from completed surveys to find trends, discover areas of demand or customer expectation, and make business decisions on products or services.
    Use Wufoo, an online form creation tool, to make powerful forms. Learn how to selectively show certain fields based on user input using rules to gather relevant information and data from your forms. The rules feature provides you with an opportunity…

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now