ASP.Net - ask password after 5 minute inactivity

Posted on 2007-10-18
Medium Priority
Last Modified: 2013-11-26
We have a Visual studio 2003 web application created using VB.Net, ASP.Net & Crystal reports.
There are about 20 aspx pages in the application.
We would like to include a feature in the application so that if the user is inactive for 5 minutes(no keyboard or mouse movements), a security messagebox would pop-up and the user has to re-enter the password to continue. once the user enters the password he should be able to continue on the webpage from where he left off before 5 minutes.

I am trying to figure out the best way to make this happen.I know I can track the 5 minute inactivity using Javascript. My question is what should my design be?

1). A javascript pop up prompt messagebox?
2). Should I redirect the user to the login page? in that case how do I maintain the session? there are a lot of textboxes in the page, would it be better to store the values of the textboxes in a temporary table in sql server database before asking for password? and once the user enters the password I can reload the text boxes from the temporary table.  

please advise with your suggestions/recommendations.

Thanking you in anticipation.

Question by:vdesai_8
  • 3
  • 2
LVL 12

Expert Comment

ID: 20104994
What are you trying to accomplish by ending the session after 5 minutes if they may be completing the form? Securing the data?  How long will you keep the data for?
LVL 16

Accepted Solution

McExp earned 2000 total points
ID: 20105024
Assuming you can write javascript that would effectivly mange to track the period of inactivity, I leave this to you as you seem to indicate you have an idea of how you would do this.

1) if you do this you will need to store there password in the client page, not normally recomended practice, unless you save a hash in the page and then process the value they have entered in clear to generate a hash and compare them? Still this is not a solution I would be comfortable with.

2)This sounds a little complicated to engineer. I think, on timeout you will have to save the page to a backend data source and then as you say redirect to a login page. You then, upon a successfull login redirect to the previous page which can preload the boxes back with the data. Although a solution  that sounds possible I'm just as uncomfortable with this solution as the first!

I've said I wouldn't be happy with either, and I've not got an alternative for you, but it is my opinion that if this is a mandatory requirement you might like to consider an alternative implimentation technology as the stateless design of http is not suited to your requirements.

Author Comment

ID: 20110021
Thanks Gurus, for your replies.

Lunadl - The data that the users are working on in the web application is sensitive data & should not be available to public. hence if the user walks away from desk for 5 minutes we would like the Security pop up message box to appear so that unauthorized users cannot see the data.

If the user is inactive for 20 minutes then the session would end & all the data on the form maybe wiped out. This is taken care from the web.config file.

McExp - you are right that the stateless design of http may not be suited for this requirement, but I am trying to figure out what could be an alternative approach? It would be fine if its a messagebox, screensaver or an aspx form way of approaching it, as long as it serves the purpose.

Please help about how can this be accomplished.

Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

LVL 12

Expert Comment

ID: 20110366
Can you store the content of the fields in a database? Using AJAX you would be able to save the state of the form at intervals as well as provide a solution for prompting the user. It would increase the work for maintainance every time you add a field to your secure pages you would need to update your DB.
LVL 16

Expert Comment

ID: 20112311
What else is being done on the computer?  do you have control of the configuration? you touched on the idea of screensaver is this along with user education not the correct solution? You can enforce the settings of the screensaver via a domain policy.

Now that you state the form contents is sensitve surely the msg box idea is a non starter becuse even though the (unautorised) user won't be able to do anything they will still be able to see the data.
LVL 12

Expert Comment

ID: 20112522
i agree with McExp that a message box solution is the wrong way to prompt the user to reauthenticate. The solution will lie in redirecting or a client-based software and settings.

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A long time ago (May 2011), I have written an article showing you how to create a DLL using Visual Studio 2005 to be hosted in SQL Server 2005. That was valid at that time and it is still valid if you are still using these versions. You can still re…
What is Node.js? Node.js is a server side scripting language much like PHP or ASP but is used to implement the complete package of HTTP webserver and application framework. The difference is that Node.js’s execution engine is asynchronous and event…
This video teaches users how to migrate an existing Wordpress website to a new domain.
Learn how to set-up PayPal payment integration in your Wufoo form. Allow your users to remit payment through PayPal upon completion of your online form. This is helpful for collecting membership payments, customer payments, donations, and more.
Suggested Courses
Course of the Month16 days, 3 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question