stop Chrome from restoring the session

Question

Is there any way to tell chrome to NOT restore the session when re-opening a closed page? Maybe a special header?

When my employees log into my company app it is very state dependant. If they are inactive for 60 minutes I want to log them out and delete all data relevant to what they were doing, but the problem is that Chome has this handy feature where it will re-open your page right where you left off and not question a thing. My website will not know that they had the browser closed for two days and the setTimeout will not fire for another 50 minutes.

I have another couple of wacky workarounds, but I would prefer it if I could just tell Chrome to not try salvaging old sessions and instead treat every opening like it was just opened for the first time. maybe a disable caching through javascript?

Edit: I am using IIS to serve the Angular 9 static html and javascript.

score 1 · Answer 1 · answered Apr 21 '20 at 21:40

So, as you mentioned, you're using a static website without a backend. Though you haven't mentioned anything, I'm assuming you're using sessionStorage or localStorage to handle authentication. If that's the case, what you can do is set a timer whenever a user logs in and maintain a localStorage to keep track of the idle time.

let obj_date = new Date();
let miliseconds = obj_date.getTime(); // Returns the number of miliseconds since 1970/01/01
localStorage.setItem("idle_time",miliseconds);

After that, keep calling the following function from within something like setInterval() every 10,20,30 or 60 seconds (as per your choice) to check if that time limit has expired.

function check_if_session_expired() {
  let max_idle_minutes=60;
  let miliseconds_now = obj_date.getTime();
  let get_idle_time_in_miliseconds = localStorage.getItem("idle_time");
  let one_minute_to_milisecond = 1000 * 60;
  if ((Math.round(miliseconds_now / one_minute_to_milisecond) - Math.round(get_idle_time_in_miliseconds / one_minute_to_milisecond)) >= max_idle_minutes) {

    console.log("expired");
    //logout the user and clear sessionStorage/localStorage if you want
  } else {
    localStorage.setItem("idle_time",miliseconds_now);
  }
}

You can use cookies to so the same.

score 0 · Answer 2 · answered Apr 21 '20 at 19:34

0

What you want to do is destroy session from server side. Check the code below which is written in php. However, if you get the idea, you can use anything to implement it.

<?php

session_start();

//Expire the session if user is inactive for 60 minutes or more.
$expireAfter = 60;

//Assign the current timestamp as the user's latest activity
$_SESSION['last_action'] = time();

//Check to see if our "last action" session variable has been set.
if(isset($_SESSION['last_action'])){

    //Figure out how many seconds have passed since the user was last active.
    $secondsInactive = time() - $_SESSION['last_action'];

    //Convert our minutes into seconds.
    $expireAfterSeconds = $expireAfter * 60;

    //Check to see if they have been inactive for too long.
    if($secondsInactive >= $expireAfterSeconds){
        //User has been inactive for too long. Kill their session.
        session_destroy();
        unset($_SESSION);
        header("Location: http://".$_SERVER['SERVER_NAME'].":".$_SERVER['SERVER_PORT']."/example/login.php");
        exit;
    }

}

This is just a simple implementation and you can definitely extend it to make it work the way you want.

answered Apr 21 '20 at 19:34

Plabon Dutta

6,819
3
29
33

so when chrome opens back up does it check the server to see if the session is still active? – Samuel Thompson Apr 21 '20 at 20:01
When you browse the URL of the website, it will send a request to the webserver, which in turn, will check if a session is active or not. If the session is inactive, it won't server or redirect you to the login page. This depends on how you design your server side logic, actually. – Plabon Dutta Apr 21 '20 at 20:07
so can I just add a session expiration tag in IIS? – Samuel Thompson Apr 21 '20 at 20:19
Yes. IIS session timeout values are given on IIS configuration. 20 minutes is the default expiry time of a session. You can change it. Please take a look at this link: https://stackoverflow.com/questions/39153581/how-do-you-change-session-timeout-in-iis-8-5/39153780 – Plabon Dutta Apr 21 '20 at 20:25
My answer here demonstrates the fact about how you can handle the issue programmatically. You can implement this using any server side language. Logic will be same for all of them. – Plabon Dutta Apr 21 '20 at 20:40
I just checked your edited question and you made it clear that you're talking about a static website here without a backend. Let me help you on this one too. – Plabon Dutta Apr 21 '20 at 20:42
Please check my new answer and if it serves your purpose, please don't forget to accept it. – Plabon Dutta Apr 21 '20 at 21:41
if the default session timeout is 20 minutes then this should not be an issue, but it still is. I checked and the timeout is set to the default 20 minutes. I don't think the actual session has anything to do with it. I think it is a chrome `feature`. – Samuel Thompson Apr 22 '20 at 16:34

stop Chrome from restoring the session

2 Answers2