1

So I need to implement an auto-logout feature for WordPress. With JavaScript this seems straightforward;

  • Prompt after X minutes idle (jQuery.nap), alternate <title> to gain attention
  • If there is no confirmation after Y seconds, run logout

Seeing that the point of an auto-logout feature is security, would that deem it neccessary to have a no-JavaScript fallback?

And if so, the only solution I can see is to store & compare access times on successive requests, but the caveats I can already see are;

  • It's no longer 'idle' time (time the user is effectively 'away'), merely time between each page load.
  • If a user has walked away, whatever is currently on the page is vulnerable indefinitely, until the next request fires the logout.

I could say, for arguments sake, a server-side solution to log out after Z hours between requests, as opposed to a much shorter time for JavaScript?

What are your thoughts on the matter, and my proposed solution?

TheDeadMedic
  • 9,948
  • 2
  • 35
  • 50
  • Relative question: http://stackoverflow.com/questions/4880891/javascript-settimeout-and-changes-to-system-time-cause-problems – madr Mar 04 '11 at 14:38
  • @madr That only seems to address a JavaScript solution. Although it has opened my eyes to Comet - anyone care to involve this as a possible solution? – TheDeadMedic Mar 04 '11 at 14:46

1 Answers1

1

Using Javascript for this seems precarious at best to me. If the threat is the user walking away from the computer while logged in, and then an attacker walking up and doing bad things on his account, then the attacker could very well just disable javascript upon walking up to the machine. Unless of course the timer has already hit by the time the attacker gets there. But that would mean the timer would have to be pretty short.

I don't know about you, but I HATE websites that automatically log you off in a couple of minutes. It's a huge hassle for very little security benefit, IMO. It just doesn't seem like a realistic threat to me: Someone following one of your users, who happens to be in a public space, using an important account, then walks away leaving the computer unguarded?

A more realistic threat would be that the connection itself gets hijacked from someone quitting out of the browser without actually logging off or something. Having a server-side timeout of maybe an hour would be useful there.

AltF4
  • 607
  • 6
  • 13
  • I hate it too, but client wants, client gets ;) The main advantage of JavaScript is that it can truly detect 'idle' time + it can also logout when the user goes walkies (ideally before Mr Nasty comes along). I was thinking the server-side timeout as a failsafe, plus the JavaScript for the UI prompt/idle screen. Either way, like you say, a machine can't protect a fool. – TheDeadMedic Mar 05 '11 at 00:41