Solved

Prevent log-outs by browser polling instead of a cookie

Posted on 2011-03-13
18
378 Views
Last Modified: 2012-05-11
The users login to my ASP.NET website from a safe location (office) and they want to remain logged in for the duration of work-day.  For various reasons, keeping users logged in using persistent cookies is not a good solution.  Instead, I would like to have user browser poll the web-server at regular intervals, say every 3 minutes, and thus prevent log-outs.  

There are two possible approaches:
1) produce a browser side code, a universal add-on, similar to a solution of www.stay-logged-in.com,
2) produce a server side code, which would keep the client connected.

I prefer not to mess-around with the users's browser, plus the solution should be browser independent, so Approach 2 is preferred.  But any good solution would be appreciated.

Any suggestions how to do this?  Any code?  Thank you very much.
0
Comment
Question by:zoranm0
  • 8
  • 5
  • 5
18 Comments
 
LVL 75

Expert Comment

by:Michel Plungjan
ID: 35129922
How about a web bug:

<img id="poll" src="/favicon.ico" width="1" height="1"
onload="setTimeout(function(){document.getElementById('poll').src='/favicon.ico?rnd='+new Date().getTime()},180000)"/>

Open in new window

0
 
LVL 51

Expert Comment

by:tedbilly
ID: 35130183
@mplungjan: The problem with that solution is ASP.NET sessions can still time out because the ASP.NET ISAPI DLL will not process the favicon request.

If this is an intranet site why aren't you using integrated 'Windows Authentication'?  If the sites are marked as 'Local Intranet' then the user will be automatically signed in using their windows credentials.  With Single Sign On behavior like that you get a high level of security without the users being pestered with log ins and there is no chance of impersonation (like there is with cookies)

Even FF and other browsers can be configured to support SSO (Single Sign On) from intranet domain computers.

You cannot produce server side code to keep the client connected unless the server simply sends client code to the browser to poll the web server.

Technically the browser and web server do not stay connected.  All the web server does is receive a request, process it and send the results then disconnect for the next user.   A polling function on the client can be configured to keep sessions active however, the downside to that is that if the users leave their desks or do not log off at the end of the day then they are consuming server resources and when application pools are recycled can experience a disconnect anyway (or odd results)
0
 
LVL 75

Expert Comment

by:Michel Plungjan
ID: 35131311
So call an aspx that returns an image
0
 

Author Comment

by:zoranm0
ID: 35134570
Thanks to everybody who is trying to help.

No, the web-server is not on the Intranet.  Yes, I acknowledge all the things that tedbilly states, it is a great outline.  However I was looking for a smart-trick.  Thus, tedbilly gives a more extensive answer, but mplungjan is closer to what I am looking for.  Any other ideas how to get the browser to poll the server on trigger from the server?

Alternatively, for the clinet side solution, could someone please suggest the best way to create a universal browser plug-in (www.stay-logged-in.com works well in my view).  What would that be based on?

Thanks again
Zoran
0
 
LVL 51

Expert Comment

by:tedbilly
ID: 35134621
Well based on your last comment, then using the technique mplungjan provided with an ASPX page is the correct answer.  He's added a JavaScript timer to poll the server and by contacting an ASPX page the web session will remain active.
0
 

Author Comment

by:zoranm0
ID: 35143831
Here is another way - Heartbeats
In this scheme, the server arranges to send the browser a sequence of "heartbeat" messages, in the form of HTML comments which will not display on the screen.

Since the logout is 5 minutes, it could be sufficient to send one short HTML comment, even a blank one, every 3 minutes

Any issues with that?
0
 

Author Comment

by:zoranm0
ID: 35143840
Would it be possible to send a screen-refresh command from the server to the browser every 3 minutes?
0
 
LVL 51

Expert Comment

by:tedbilly
ID: 35143959
The server cannot send a message to the client.  As stated in a previous comment here is how a web transaction works

1) User enters URL in address window
2) Browser connects to the web server using a socket on port 80 and requests the page
3) The web server authenticates the user
4) The web server prepares the web page using server side code (if not a static page)
5) The web server sends the page
6) The socket connection on port 80 is closed

At that point the web server has absolutely no way at all to reconnect to the client.  The ONLY way to update the page is if the web browser requests it.
0
 

Author Comment

by:zoranm0
ID: 35144480
Isn't there a time-out for 6) to happen?  My understanding that it is something like 60 seconds, although it can be set higher.  My understanding is also that the Heartbeat approach keeps sending blank pages to stop the port from closing (therefore it would not sent once every 3 minutes, then every 50 seconds).  If so, the issue then is only how much load on the server this generates.  The same for mplungjan's solution.

Coming back to the Client side add in, what would that be based on? Which universal method can I use to make it work at least on FF and IE?

Thanks
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 75

Expert Comment

by:Michel Plungjan
ID: 35144499
My suggestion is the simplest way to access an aspx page. Alternative is Ajax or some aspx thing that would create some similar way for the browser to regularly keep a session from expiring. I could imagine you could also change the session timeout to 12 hours
0
 
LVL 51

Expert Comment

by:tedbilly
ID: 35144678
You are mistaken.  The server cannot keep sending pages.  When the data is sent to the client browser so it can fully render the page, the socket is closed.  I've been working with the internet for nearly 20 years.  I wish I could give you the answer you want but I cannot.  The HTTP protocol was defined this way for a reason.

The client would be based on Javascript which is the only way to do this just as mplungjan has suggested.  His answer is correct.

Yes polling the server adds load but based on your requirements there is no other way.
0
 
LVL 75

Accepted Solution

by:
Michel Plungjan earned 300 total points
ID: 35144788
0
 

Author Comment

by:zoranm0
ID: 35148239
mplungjan, you know your stuff.  It will take me a little time to digest this.  It is not even a work-around, a trick, it looks like it is a main-stream technique.  Obviously, I am not crazy to want to have the server pushing pages to the client and with a low-overhead.  Thanks very much for this lead, I will investigate it further to see if it can solve my problem of keeping all different browsers, under different privacy set ups on the client machines, logged into my site.

Currently, I have to solve users' connection issues, on a case by case basis.  There must be a better way.

Thanks
0
 

Author Comment

by:zoranm0
ID: 35148427
I wonder what Ebay and all other high-end web-sites are using? it works like magic - one never gets logged out, no matter which browser or set up.
0
 
LVL 75

Expert Comment

by:Michel Plungjan
ID: 35148486
Cookies. I am sure.
0
 
LVL 51

Assisted Solution

by:tedbilly
tedbilly earned 200 total points
ID: 35152082
I've looked at Comet and as stated they are using a Flash component to maintain a connection, however, JavaScript cannot open/maintain a socket so only client-side code embedded in an object like Java or Flash is capable of working within the browser to keep a connection active.

Based on the requirements, I did not and would not recommend such a drastic solution.  It's a LOT of complexity to simply keep a page active.

All the major sites use cookies.  Clear your cache and browser history and you will have to log in again.  Also, I run multiple browsers and the log in session is always per browser.  In other words if I clear my cache, cookies and history for FF, IE, Safari and Chrome, then attempt to access Gmail or EE I have to sign in once for each browser for each site.

The risk with cookies is session highjacking.
0
 

Author Comment

by:zoranm0
ID: 35161511
The high end websites (Ebay) deploy something "out-of-box".  Either they have perfected the science of cookies beyond my reach, or they use something else.   We have spent days and days trying to get session cookies to work under every browser scenario, with only a limited success.

Thanks tedbilly, excellent overview/summary again.  But, it is not easy to tell every user how to do this and that.  Some users are hardly computer literate, we would have to guide them by the hand.  This is why I need a solution which will work "out-of-box".  But, I agree that it is hard to find a "perfect solution": out-of-box with low-overhead.  Also, because the users access a lot of personal data on my web-site, I do have a concern about session high-jacking.  This is why I have been looking for a solution different then cookies.

The JavaScript/.NET blank image sending, which mplungjan originally suggested, and its more modern Comet variants of Flash are our focus now.  They appear to work well, but they have a downside of pre-supposing a certain configuration of browser.

So, again, no perfect solution.  Thanks for trying to help.
0
 

Author Closing Comment

by:zoranm0
ID: 35161523
Good solution, but not solving the problem completely.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

#Citrix #Internet Explorer #Enterprise Mode #IE 11 #IE 8
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…
How to create a custom search shortcut to site-search Experts Exchange using Google in the Firefox browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch your Bookmark Menu: Press 'Ctrl +…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now