In order to protect member users' information that is maintained by my web-site and, in general, proprietary information on my web-site, my web-site requires that users create accounts and then log into their accounts before they can navigate away from my web-site's home page to other web-pages in my web-site. However, it isn't enough that the users simply login to their accounts, they also need to use the system by navigating through the web-pages in my web-site or, on some pages, operate the controls in the web-page or type-in data into the form field controls. Thus proving that they are still using the site and not just left one of my web-sites web-page unattended and open to someone else. Additionally, I'd like to prevent someone who finds one of my web-page in the browser's history and then try jumping to that web-page to hijack a user's account.
Other than the home web-page in my web-site, when one of my web-pages is requested, my web-site's server-side php code calculates an expiration datetime, which then checked against the system's datetime to see if the user is still logged-in. This check is performed when a requested web-page first loads into the user's browser with JavaScript code. This check is also performed when a web-page in my web-site is requested with the web-site's server-side php code. In either of these checks, if the expiration datetime is earlier than the system's current datetime, then the user is automatically logged-out and returned to my web-site's home web-page.
However, there are some pages in my web-site where the logged-in member user has to enter large amounts of information into the web-page and then post that data to the server, but if they take too long to do this then they will loose that information when they are automatically logged-out. Instead, before the expiration datetime expires, I want to ask the user if they wish to remain logged-in, similar to what banks do when in their online banking system.
What is the best way to do this?
Two ways come to mind that both display a message to the user, asking if the user wants to extend their logged-in session. If the user answers yes, then the expiration datetime is extended by another 20 minutes. If the user answers no or the question goes unanswered, then the user is automatically logged-out and then redirected to my web-site's home web-page:
Let the server periodically send a message (polling) to each user's browser to cause the user to be prompted about remaining logged-in.
When each web-page loads, it starts a timer that when it times-out then prompts the user about remaining logged-in.
The first method seems to be much more difficult and I don't know how to do this.
The second method, while much easier, seems like it would be possible for a malicious user to defeat.
This all heavily relies on all web-page requests to be blocked by my web-server's php code, or in the case of one of my web-pages being reloaded from the browser's history, the JavaScript code in the web-page detect this, logout the user and redirect to my web-site's home web-page.
Is there a way to compile the browser-side JavaScript or some other code that handles the expired login-session check so that a malicious user's can't defeat it using the browser's code inspector? Would this be possible in a web-api?
Any ideas?
Thanks.
You could do the following..
1.After successfully logged in, Store user logged in time in browser storage such as LocalStorage, Indexed DB or Cookie Storage,
2.Using javascript u can compare Current time and user logged in time.
3.After certain interval may be 30min/1hour you can prompt the user about if he wants to remain logged-in.