Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
How does session timeout work?
#1
I have my Main.pas property Keep alive property checked
The Timeout in the server controller is set to 10. 

Even after 10 minutes the Main page does not show a session expired message. 

Could someone explain how this process works? do I need to program for a page redirect to a custom session time out page ? 

Thanks
Reply
#2
If you have a keep alive it does exactly that. It keeps the session alive so of course it will not time out.
Reply
#3
(04-22-2019, 01:56 PM)kudzu Wrote: If you have a keep alive it does exactly that. It keeps the session alive so of course it will not time out.

Thank you! I was under the impression that it keeps the page alive only till the user interacts with it. 

So am I right in saying that even if the user is interacting with the page, the page will timeout if the keepalive is not set. 

How do I determine inactiveness and then expire the page?

Thank you for your help.
Reply
#4
You dont need to do anything. IntraWeb will do it for you.

Every time the user does something that causes a server call (most button clicks etc), the timeout timer is restarted.

If the server sees no activity within the period set in the ServerController, the session will be timed out. If the user then tries to submit to the server after that they will be displayed a message that their session has timed out. There are options in the SC to control what happens, ie nothing, a new session restarted, etc.
Reply
#5
A couple of points, just to be sure everybody is talking about the same thing.  You used the generic term "keep alive".  There are two keep alive properties.  One is httpkeepalive, which is the KeepAlive property of the HTTP connection.  The other is on the form as MyForm.Keepalive.  This second one is the one Chad is referring to, and I think you are referring to the same.

As to how the session timeout works, here is a short version (mostly accurate).

1.  The session timeout kills the session after X time of no activity from the browser.
2.  The MyForm.Keepalive, when set, will *automatically* create activity for the user, in the background, and will keep the session from timing out so long as the form exists.  That is, if they close the form or navigate elsewhere (away from an IW form with keepalive) the session will time out but if the form is still active it will not time out.

The MyForm.Keepalive works by knowing the timeout delay (X) and sending a message to the server about 3 or 4 times during that time.

All of that plumbing is in the form code, you don't have to do anything but set the MyForm.KeepAlive.

The MyForm.Keepalive stays active on desktop browsers even if the window is not active but, in my experience, only stays active on mobile browsers while that window is in use.

Dan
Reply
#6
Thank you for your replies. I unchecked the MainForm.KeepAlive, so its false now and the HTTPKeepAlive was already set to False. My Sessiontimeout is set to 30(minutes) but the page doesnt timeout. I kept it open abut minimized and when i entered data or refreshed it, the page didnt timeout.

Are there any other settings I need to check to make sure it works like it should?
Reply
#7
"when i entered data or refreshed it"

When you do this, you are resetting the timer each time..... This is by design.
Reply
#8
(04-23-2019, 01:26 PM)msgopala Wrote: Thank you for your replies. I unchecked the MainForm.KeepAlive, so its false now and the HTTPKeepAlive was already set to False. My Sessiontimeout is set to 30(minutes) but the page doesnt timeout. I kept it open abut minimized and when i entered data or refreshed it, the page didnt timeout.

Are there any other settings I need to check to make sure it works like it should?

Keep alive is an option.  It didn't even used to exist. I've got a pretty extensive app and have never used it.  

Without enabling KeepAlive, your session will time-out based on the sessiontimeout property.  A timeout occurs when the user doesn't have any interaction with the app/page for the duration of the sessiontimeout period.  So, with your 30 minute timeout, if you start a session and then don't touch the browser for 30 minutes, the timeout will occur.  But each time you interact with the page in the browser, the 30 minute timer starts over again.  When a session times out, nothing changes in the browser. (i.e. no popup or other message) The session is simply deleted on the server.  In fact, if you put a breakpoint in your UserSession destructor, you'll see it is hit when the session timeout limit occurs.  After a session times-out and the session has been destroyed on the server, any additional actions in the browser will result in the user being told that their session has timed out.  (you can let IW report this to the user, or you can handle it. that's a different topic)

The purpose of a KeepAlive option is to prevent time-outs.  SessionTimeout has almost no purpose if you enable KeepAlive.  KeepAlive is JS in the browser sending a tiny request every once in a while so that the server starts the timeout clock again.  The idea is that for as long as the form is displayed in the browser, and that JS runs, the session will never end. But when you close that browser window, the JS stops calling back to your app and the session will timeout.  (based on the sessiontimeout property)

That's my best explanation.  Now, in writing this explanation, something has occurred to me:
In my app, written before KeepAlive was an option, I set my clients' timeouts to about 4 hours.  I did this because I believed that they left the browser open on their desktop all day and didn't want to have to log in each time they clicked on it.  With the advent of KeepAlive, it would make much more sense to set the sessiontimeout to 10 minutes and enable KeepAlive. That way, as long as they leave the browser open on their desktop, the session will stay active.  But as soon as they close their browser, the session will wait 10 minutes and destroy itself.  I plan to implement that today because of your question. Thanks!

Pete
Reply
#9
Yes, as Pete says, SessionTimeout with keepalive is mainly for detecting when the browser disappears.  It sometimes makes sense to time your user's activity in some other way.  I have done that.

Also, as Chad has indicated, SessionTimeout doesn't care whether a user or some other activity tickles it.  It starts over when the browser does something to indicate it's still there.  KeepAlive works exactly that way, as Pete described, it just sends a simple message to tickle the server.

If you take an empty form with a SessionTimeout and no Keepalive, your session WILL time out.  Add simple controls and it will still timeout.  Add some automatic refresh or other trigger and it won't.

You might want to play with it some.  That's the best way to find the boundaries and behavior.

Dan
Reply
#10
(04-24-2019, 05:51 AM)DanBarclay Wrote: Yes, as Pete says, SessionTimeout with keepalive is mainly for detecting when the browser disappears.  It sometimes makes sense to time your user's activity in some other way.  I have done that.

Also, as Chad has indicated, SessionTimeout doesn't care whether a user or some other activity tickles it.  It starts over when the browser does something to indicate it's still there.  KeepAlive works exactly that way, as Pete described, it just sends a simple message to tickle the server.

If you take an empty form with a SessionTimeout and no Keepalive, your session WILL time out.  Add simple controls and it will still timeout.  Add some automatic refresh or other trigger and it won't.

You might want to play with it some.  That's the best way to find the boundaries and behavior.

Dan

Thank you I will play around with the settings to see what works out best. Currently looking at Server cookies, session cookies, session time out and IWServerControllerBaseCloseSession.

(04-23-2019, 04:45 PM)pete@pdmagic.com Wrote:
(04-23-2019, 01:26 PM)msgopala Wrote: Thank you for your replies. I unchecked the MainForm.KeepAlive, so its false now and the HTTPKeepAlive was already set to False. My Sessiontimeout is set to 30(minutes) but the page doesnt timeout. I kept it open abut minimized and when i entered data or refreshed it, the page didnt timeout.

Are there any other settings I need to check to make sure it works like it should?

Keep alive is an option.  It didn't even used to exist. I've got a pretty extensive app and have never used it.  

Without enabling KeepAlive, your session will time-out based on the sessiontimeout property.  A timeout occurs when the user doesn't have any interaction with the app/page for the duration of the sessiontimeout period.  So, with your 30 minute timeout, if you start a session and then don't touch the browser for 30 minutes, the timeout will occur.  But each time you interact with the page in the browser, the 30 minute timer starts over again.  When a session times out, nothing changes in the browser. (i.e. no popup or other message) The session is simply deleted on the server.  In fact, if you put a breakpoint in your UserSession destructor, you'll see it is hit when the session timeout limit occurs.  After a session times-out and the session has been destroyed on the server, any additional actions in the browser will result in the user being told that their session has timed out.  (you can let IW report this to the user, or you can handle it. that's a different topic)

The purpose of a KeepAlive option is to prevent time-outs.  SessionTimeout has almost no purpose if you enable KeepAlive.  KeepAlive is JS in the browser sending a tiny request every once in a while so that the server starts the timeout clock again.  The idea is that for as long as the form is displayed in the browser, and that JS runs, the session will never end. But when you close that browser window, the JS stops calling back to your app and the session will timeout.  (based on the sessiontimeout property)

That's my best explanation.  Now, in writing this explanation, something has occurred to me:
In my app, written before KeepAlive was an option, I set my clients' timeouts to about 4 hours.  I did this because I believed that they left the browser open on their desktop all day and didn't want to have to log in each time they clicked on it.  With the advent of KeepAlive, it would make much more sense to set the sessiontimeout to 10 minutes and enable KeepAlive. That way, as long as they leave the browser open on their desktop, the session will stay active.  But as soon as they close their browser, the session will wait 10 minutes and destroy itself.  I plan to implement that today because of your question. Thanks!

Pete

Thanks. the keepalive option had kept a lot of users logged in and it started to create a lag on our database, if they didnt close their browsers. To get around that I had to set keepalive to false.

 I am currently looking at the settings,  Server cookies, session cookies, session time out and IWServerControllerBaseCloseSession. to see what will work out best for us.

(04-23-2019, 02:32 PM)kudzu Wrote: "when i entered data or refreshed it"

When you do this, you are resetting the timer each time..... This is by design.

Ok, thank you
Reply


Forum Jump:


Users browsing this thread: robhercarloz, 1 Guest(s)