Idle Session Timeout

Developers
2013-02-04
2013-04-06
  • ZH Healthcare
    ZH Healthcare
    2013-02-04

    Hi,
    "Idle Session Timeout Seconds" is calculated using the user activity at the server side. So even if a user is inputting data in a form, but not submitting the page before the "timeout" settings the user will get timed out and lose all the data he entered. Can we capture some key events at the browser and send to the server intermittently, which prevents the server from session out? This is a problem for the practices which prefer to keep the timeout seconds very low , say 15 minutes.
    Can this create any security threat?

    Eldho
    ZH Healthcare

     
  • Rod Roark
    Rod Roark
    2013-02-04

    I think that would be a good thing to do.  But I wouldn't add yet another server request, but rather add the logic to one that already exists (see for example interface/main/daemon_frame.php).

    Rod
    www.sunsetsystems.com

     
  • Kevin Yeh
    Kevin Yeh
    2013-02-04

    Rod,
    I must be missing something, but your suggestion doesn't make any sense to me.  There is logic in the timeout mechanism which explicitly prevents the daemon frame from resetting the timer.  I don't see how daemon_frame is relevant.

     
  • Rod Roark
    Rod Roark
    2013-02-04

    Kevin, read my suggestion again.  I'm saying that daemon_frame.php is a good place to add appropriate logic,  I.e. that it's better to modify an existing module that periodically invokes the server than it is to create a yet another one.

    Rod
    www.sunsetsystems.com

     
  • Kevin Yeh
    Kevin Yeh
    2013-02-04

    Rod, I know that we disagree on how best to handle cross frame communication, so before we fall too deep into that rat hole again.  Here is my last comment on this topic.

    Eldho,  feel free to follow Rod's suggestion, but my instinct is that if you try to do it with daemon_frame.php, you are also going to have to make changes in auth.inc as well and the overall solution is going to be more difficult to maintain.  It will also be very difficult to get daemon_frame to respond to keypress events that occur in the other frames.  Daemon frame generates a periodic event (every 2 minutes) , but the keypress events you wish to trigger on do not occur periodically.  They happen at a pace that is determined by the user actions.

     
  • Rod Roark
    Rod Roark
    2013-02-04

    Of course there will be code changes.  Difficult???  All it requires is a logical approach, to be determined.

    Keypress handing is another topic.  What makes sense to me is to have a JavaScript variable in the top frame (or perhaps the left_nav frame) that is set when a keypress occurs.  Then daemon_frame (or something else that already communicates periodically with the server) can check that and do the right thing when it's set.

    I don't think it's right to ping the server on every key press.  So doing it periodically makes sense.  Doing it periodically with yet another new module for that purpose does NOT make sense.

    This is not to defend daemon_frame.  If someone wants to replace it with something else, fine, let's discuss it.  But in a different thread please.

    Rod
    www.sunsetsystems.com