User Inactivity Auto Logout with Rails and Javascript
Since I have been working on my recent rails projects, I have been sitting on a chair for hours and getting tired, so I went outside for getting some fresh air and took some breaks. But few hours later, I came back and tried to work on the project, I have noticed that I was still logged in, and my user session is still remain active even though I have not been doing anything for hours. so I was wondering if there must be a possible way to set some timeout method when the user is INACTIVE certain amount of times.
But why? do we need it to be logged out? The most important thing is for the security matter. What if the user uses public computer that all people can access and forgot to log out? other person who might be able to access your private data and change it without user’s permission. and user doesn’t even know who the person is.
The shorter the session interval is, the lesser the time an attacker has to use the valid session ID. The session expiration timeout values must be set accordingly with the purpose and nature of the web application, and balance security and usability, so that the user can comfortably complete the operations within the web application without his session frequently expiring.
Both the idle and absolute timeout values are highly dependent on how critical the web application and its data are. Common idle timeouts ranges are 2–5 minutes for high-value applications and 15–30 minutes for low risk applications. Absolute timeouts depend on how long a user usually uses the application. If the application is intended to be used by an office worker for a full day, an appropriate absolute timeout range could be between 4 and 8 hours.
Session Handling on Server Side
‘auto-session-timeout’ provides automatic session timeout in a Rails application.
You need to setup two actions: one to return the session status and another that runs when the session times out. You can use the default actions included with the gem by inserting this line in your target controller (most likely your user or session controller)
In any of these cases, make sure to properly map the actions in your routes.rb file
Link for auto-session-timeout
Logout Handling on Client-Side
Automatic Client Logout
JavaScript code can be used by the web application in all (or critical) pages to automatically logout client sessions after the idle timeout expires, for example, by redirecting the user to the logout page (the same resource used by the logout button mentioned previously).
The benefit of enhancing the server-side idle timeout functionality with client-side code is that the user can see that the session has finished due to inactivity, or even can be notified in advance that the session is about to expire through a count down timer and warning messages. This user-friendly approach helps to avoid loss of work in web pages that require extensive input data due to server-side silently expired sessions.
Disable Web Browser Cross-Tab Sessions
Web applications can use JavaScript code once the user has logged in and a session has been established to force the user to re-authenticate if a new web browser tab or window is opened against the same web application. The web application does not want to allow multiple web browser tabs or windows to share the same session. Therefore, the application tries to force the web browser to not share the same session ID simultaneously between them.
NOTE: This mechanism cannot be implemented if the session ID is exchanged through cookies, as cookies are shared by all web browser tabs/windows.
Initial Login Timeout
Web applications can use JavaScript code in the login page to evaluate and measure the amount of time since the page was loaded and a session ID was granted. If a login attempt is tried after a specific amount of time, the client code can notify the user that the maximum amount of time to log in has passed and reload the login page, hence retrieving a new session ID.
This extra protection mechanism tries to force the renewal of the session ID pre-authentication, avoiding scenarios where a previously used (or manually set) session ID is reused by the next victim using the same computer, for example, in session fixation attacks.
Force Session Logout On Web Browser Window Close Events
Web applications can use JavaScript code to capture all the web browser tab or window close (or even back) events and take the appropriate actions to close the current session before closing the web browser, emulating that the user has manually closed the session via the logout button.
The ‘beforeunload’ event is fired when the window, the document and its resources are about to be unloaded. The document is still visible and the event is still cancelable at this point. Further definition Link below.
