Manage web application security on shared computers and kiosks

Question

We have a web application that is publicly accessible. When a user is logged in he fills his personal details.

The Problem The user may forget to close the browser in a kiosk or a shared environment, potentially allowing some other user to see his personal information.

We are using a session timeout of 5 min,

My Thoughts Is it better to build a separate app for Kiosks environment where i can ask the users Is this a shared computer or public. If yes how would i Implement it further?

For every 3 minutes of inactivity we want to prompt the user: "Do you want to continue?" If yes, get confirmation for password, just to make it more secure.

I have seen the below link Security considerations for an ASP.Net web application that will be used on a public computer or kiosk

Could you please share more thoughts on this issue: how to make it more secure.

I have edited your title. Please see, "[Should questions include “tags” in their titles?](http://meta.stackexchange.com/questions/19190/)", where the consensus is "no, they should not". — John Saunders, May 08 '13 at 05:37
@JohnSaunders: I need your [help](http://meta.stackexchange.com/questions/179364/will-tags-in-title-be-prohibited-programmatically-ever) :) — abatishchev, May 08 '13 at 05:40
I don't think this question is appropriate for SO. It's not really a specific programming problem, as much as a vague poll for design suggestions. Seems like what you really need is to hammer out the security requirements in more detail. Focus on how to implement those requirements and ask about problems encountered while doing so. — millimoose, May 13 '13 at 15:02
This problem is difficult to solve using remote web software. Are you able to design or control the kiosk itself? If not, are you able to influence training and practices for kiosk attendants? — Matthew, May 13 '13 at 15:36
Matthew,, i will be more precise about my problem we are using DotnetNuke, On every page if there is any in activity for about 3 minutes i want to show alert to the user and redirect to confirm password page. Can i do this in JavaScript or could i implement it at server side. Could you provide any references please. — user804401, May 14 '13 at 05:17

score 1 · Accepted Answer · edited May 23 '17 at 11:55

You will have to use JavaScript of some sort. The server does not have the ability to update the client Web page without some sort of client side scripting (obviously JavaScript) to handle a request. I have done something similar, asking a user if they want to keep their session alive through showing a Pop-Up message. But in your case it seems like you should create a DNN page for re-login and add a custom module or HTML block with a simple JavaScript in it to every page you want to check logins (or put it in your template header or footer) which redirects the user to a re-login screen. Something like:

function setHeartbeat() {
    setTimeout("heartbeat()", 300000); // every 5 min
}

function heartbeat() {
    window.location.href = "Relogin.aspx?LastPage=" + window.location.href;
}

then Relogin.aspx will have a message at the top that the user has been idle for 3 minutes, and provide the password box. After the user logs in you can redirect them back to LastPage (it's been a hwile since I've used DNN, but I think there is a way to format the URL so it automatically redirects).

A more user friendly option would be to show a Pop-Up after the 3 minutes, showing a message and password field with an OK button. Again, this can be done with jQuery, where you have something like:

<div id="confirmSession" style="display: none">
<p class="message" style="display: none;"></p>
<p>You have been idle for 3 minutes, if you want to continue your session please re-enter your password.</p>
<p>Password: <input type="password" id="password" /></p>
<input type="button" id="btnContinueSession" />
<input type="hidden" id="userName" value='<%# HttpContext.Current.User.Principal.Identity %>' />
</div>

and the following JavaScript:

function setHeartbeat() {
    setTimeout("heartbeat()", 300000); // every 5 min
}

function heartbeat() {
    $("#confirmSession").show();
}

$("#btnContinueSession").click(function () {
    $.ajax({
    type: "post",
    url: "/relogin.aspx",

    error: function(returnval) {
        // Login failed for some reason, typically page not available 404 error, or code threw an error. so have the user try again.
        $(".message").text(returnval + " failure");
        $(".message").show();
    },
    success: function (returnval) {
        $("#confirmSession").hide();
        setHeartbeat();
    }
    });
});

Here you'll have to create a relogin.aspx page or some other service which will take in the username and password, re-validate the user, then either throw an error if the password was invalid (caught in the jQuery above and shown to the user). This is obviously a bit more work, and will need custom coding for the validation, versus simply redirecting to a login screen, but it much more user friendly.

In this Ajax approach, it's worth noting that your server session timeout may have to be longer than 3 minutes. If it's three minutes or less, and the user enters their password, they will already be logged out of the server, and you'll get an invalid authentication error. So overall redirecting to the login page may make the most sense. But you'll want to make sure that if a user has entered data that you save it in a cookie or somehow, so you can re-fill it (I've heard hundreds of times of people being frustrated that their data was "lost").

Examples I've taken from are:

Thanks for your valuable input, this helps me, One more question is for every page on browser back button click i have to create a custom page expired page, my doubt is where would i write this code,, should i write in every module, since dotnetnuke does not have a master page. On this custom page i will have a link that will redirect him to login page again — user804401, May 18 '13 at 05:50
For the kiosk, I would recommend disabling the right-click menu and not showing the browser bar at all, so it would be harder for the person to ever go back. That being said, I'd recommend you use a jQuery plug-in and put it in a javascript file that is included on every page (so, include the javascript in your top navigation bar so it's everywhere on the site). — tlbignerd, May 18 '13 at 15:59
Check out this StackOverflow article for some ideas on how to override the back button: http://stackoverflow.com/questions/1844491/intercepting-call-to-the-back-button-in-my-ajax-application-i-dont-want-it-to — tlbignerd, May 18 '13 at 16:06

Manage web application security on shared computers and kiosks

1 Answers1