Best way to handle web app connection timeout ?
Robert Brenstein
rjb at robelko.com
Tue Feb 22 10:22:55 EST 2005
>I've built a client web app that connects to mySQL
>on a distant server. Every user has a login & pwd
>that are handled by a cgi script on the server.
>There's also a 15 min timeout : after 15 min of
>inactivity, users need to re-enter their login &pwd.
>
>Everything works fine, except in 1 situation : if
>the user's computer freezes and needs reboot, when
>he tries to re-log, the cgi script detects that some
>activity occured during the past 15 min and refuses
>to log. So the user needs to wait several minutes before
>he's allowed to relog.
>At first I thought I could compare the IP when re-logging
>with the IP of the previous activity, but that doesn't work
>in 2 situations :
>- 2 users working on the same LAN will share the same IP
>- if the computer connection is due to a net access problem,
>when rebooting and reconnecting, the user might be given a new
>IP by his ISP...
>
>So here's another solution I've been thinking of : after logging,
>the web app would automatically send a brief authentification
>request every 30 or 60 sec. In that case, any gap of more than
>60 sec would be considered as a deconnection, and re-log would
>be much easier. This method could also be used on a website
>with a hidden frame configured as push.
>The drawback of this method is that it increases the server activity...
>
>I didn't mention it before, but it is obvious that I don't want to
>use any form of cookie...
>
>So I'd like to know what do you guys think of this, and if there's
>any better solution available...
>
>Thanks in advance,
>JB
I have faced a similar issue. Actually, worse it seems. Some of my
users use dialup services that may assign a different IP address to
each request, so ip is not fixed even during a single continuous
session. One solution I came up with is to use a custom generated
token to track the session instead of ip address. It combines fixed
part of the ip range with portion of seconds(). Of course, in order
for it to survive a crash, it has to be somehow saved, although I
actually allow (and require) relogin for those services when token is
missing.
Robert
More information about the use-livecode
mailing list