Clock and session time out

[shukui]

Hi all,

I want to display a clock to tell the user how much session time left if no activity is performed. However, if the user click a button, the session time will be reset to full. I do not want the user to refresh the page because doing that will lose the data that has already been filled in. How can I do that?

 

[shukui]

Here is the story...

The Problem
Developing applications for a secure intranet or extranet almost always leads to the idea of a session. Since HTTP is a stateless protocol, the ability to authenticate a user with a login is often tied to sessions. ColdFusion makes much of this easy for developers with its session-scoped variables. But they leave a security hole: if Joe logs in so his status is saved in a session variable then leaves for lunch without logging out, anyone can come in and access information using his login.

The accepted solution to this problem is to timeout the session. This means that the system terminates the session and forces Joe to log in again if there hasn't been any activity for a specified number of minutes. The problem with this solution is that activity must be server-side activity since the session is tracked on the server. By this criterion, filling out form fields doesn't count as "activity" since it doesn't include any communication with the server.

It would be nice if we could somehow warn Joe that he is about to timeout and offer him an opportunity to save his work, or best of all reset the session by click a button.