06-13-2019, 08:38 PM
Ioan,
You might consider thinking of the the keepalive and security timeout separately.
Keep track of your user's last "touch time" and bail out if they try to do something after their security timeout. But, use the keepalive to maintain the session and you can set session timeout relatively short (arbitrarily short and not affected by security timeout).
If you need to proactively show a "signed out" message then set up a relatively long timer to occasionally clean up. Your security is met by not accepting activity after, say, 10 minutes even if the cleanup timer only fires every 15 or 20 minutes. Should be very low overhead.
Dan
You might consider thinking of the the keepalive and security timeout separately.
Keep track of your user's last "touch time" and bail out if they try to do something after their security timeout. But, use the keepalive to maintain the session and you can set session timeout relatively short (arbitrarily short and not affected by security timeout).
If you need to proactively show a "signed out" message then set up a relatively long timer to occasionally clean up. Your security is met by not accepting activity after, say, 10 minutes even if the cleanup timer only fires every 15 or 20 minutes. Should be very low overhead.
Dan