Session timeout using prototype

You can use setTimeout to execute a function after a period,

<script type="text/javascript">
setTimeout(1000*60*15, function(){ document.location = '<your url>'; });
</script>

Andrew Timberlake
http://ramblingsonrails.com

http://MyMvelope.com - The SIMPLE way to manage your savings

You could have a timeout variable that you set to 15 minutes in the future
When you update the results, you can also update the variable with a
new timeout time.
Run setTimeout (maybe 1 minute) to check if the time has exceeded the variable
If it has, change the page, if not, reset the timeout to check again

Andrew Timberlake
http://ramblingsonrails.com

http://MyMvelope.com - The SIMPLE way to manage your savings

"say, if the browser is idle for 15 mins, then it automatically redirect
to the admin/logout, where admin is my controller name, logout is the
method name."

To get it to only log them off if the browser has been idle for 15
minutes you could create a javascript listener. The easiest way would be
to detect mouse movement, key presses, clicks and supplement that with
an onunload listener so all bases are covered. When time runs out, the
page is automatically redirected and the session reset. When the page
unloads, the server is notified. The server will then store an attribute
in their session specifying when they became inactive. Depending on
whether or not you are using the cookie session store, you might want to
store this info in the database rather than in the session store just
because there is a remote possibility of a replay attack. If the user
reloads any page more than 15 minutes after the last activity, the
session will reset.

Here is the code (it assumes you are using prototype):

// idle.js
// portions adapted from
http://www.andrewsellick.com/67/simple-javascript-idle-state-using-//prototype
// 15 min in ms
var idleTime = 900000;
var timeOut = ”;

function init() {
    new Ajax.Request('/login/inactivity?action=check',
{asynchronous:true, evalScripts:true});
    Event.observe(document.body, ‘mousemove’, resetIdle, true);
  Event.observe(document.body, ‘click’, resetIdle, true);
  Event.observe(document.body, ‘keypress’, resetIdle, true);

    setIdle();

}

function onIdleFunction(){

    new Ajax.Request('/login/logout?rsn=inactivity', {asynchronous:true,
onComplete:function(){document.location.href='/login'}});

}

function resetIdle(){

    window.clearTimeout( timeOut );
    setIdle();

}

function setIdle(){

    timeOut = window.setTimeout( "onIdleFunction()", idleTime );

}
function unloadReport() {
  new Ajax.Request('/login/inactivity?action=set', {asynchronous:true});
}
Event.observe(window, ‘load’, init, false);
Event.observe(window, ‘unload’, unloadReport, false);

Controller code will follow in the next post

Ben Vishny wrote:

// idle.js
// Adapted from
//
http://www.andrewsellick.com/67/simple-javascript-idle-state-using-//prototype
// 15 min in ms
var idleTime = 900000;
var timeOut = ”;

function init() {
     new Ajax.Request('/login/inactivity?do=check',
{asynchronous:true, evalScripts:true});
     Event.observe(document.body, ‘mousemove’, resetIdle, true);
   Event.observe(document.body, ‘click’, resetIdle, true);
   Event.observe(document.body, ‘keypress’, resetIdle, true);

     setIdle();

}

function onIdleFunction(){

     new Ajax.Request('/login/logout?rsn=inactivity',
{asynchronous:true,
onComplete:function(){document.location.href='/login'}});

}

function resetIdle(){

     window.clearTimeout( timeOut );
     setIdle();

}

function setIdle(){

     timeOut = window.setTimeout( "onIdleFunction()", idleTime );

}
function unloadReport() {
   new Ajax.Request('/login/inactivity?do=set', {asynchronous:true});
}
Event.observe(window, ‘load’, init, false);
Event.observe(window, ‘unload’, unloadReport, false);

EDIT: use this updated version of the code

# Goes in login controller

def inactivity
  case params[:do]
  when "check"
    # already done by check_activity before filter
  when "set"
    session[:inactive_at] = Time.now
  end
end

# application-wide before_filter
def check_activity
  if session[:inactive_at]
    if session[:inactive_at] < 15.minutes.ago
      reset_session
      flash[:notice] = "Your session has timed out due to inactivity."
      redirect_to :controller => :login
    else
      session[:inactive_at] = nil
    end
   end
end

The reason I use inactive_at rather than last_active is that the
mouse/keyboard/click activity part would use up too many resources if it
continually let the server know when stuff happened.