Using JavaScript to warn a user about a session timeout

A coworker asked me this today so I thought I'd whip up a quick example. Many bank sites like to use a JavaScript warning to let you know when your session is about to end. Personally these things bug the heck out of me, but in the interest of helping her out (and others), here is a way to do it in ColdFusion and JavaScript. (Explanation follows the code.)

<!--- Minutes into MS --->
<cfset sessionTimeout = 2>
<html>

<head>
<title>Timeout Example</title>

<script>
<cfoutput>
var #toScript((sessionTimeout-1)*60*1000,"sTimeout")#
</cfoutput>
setTimeout('sessionWarning()', sTimeout);

function sessionWarning() {
   alert('Hey bonehead, your session is going to time out unless you do something!');   
}
</script>

</head>

<body>

</body>
</html>

Let me go down line by line. First off - you can't introspect an application to see what the session time out value is. (I'm sure you could with ServiceFactory methods, but that's cheating.) So I'm using a variable to stand in for the number of minutes a session will last.

<cfset sessionTimeout = 2>

I would probably have set this in the application scope somewhere, but again, this is just a simple demo. I used 2 to make it a bit quicker to test. Now I need to get that value into JavaScript, but there are two things I need to change. First - I want to give the user a warning so she has time to do something. So, I subtract one from the number of minutes. You can obviously subtract more or less depending on how much of a warning you want to give. Secondly, the JavaScript code I'm going to use, setTimeout, expects time in milliseconds. So I take my number of minutes and multiply it by 60 and then 1000.

<cfoutput>
var #toScript((sessionTimeout-1)*60*1000,"sTimeout")#
</cfoutput>

Why didn't I just multiply by 60000? Because I'm dumb and tend to forget things. The 60*1000 helps me remember. What is the toScript function? It lets you convert a ColdFusion variable into a valid JavaScript variable. For more information, check the toScript documentation. Honestly, it's a bit overkill for what I'm doing, but I thought I'd remind folks of this cool little utility. The next line simply tells JavaScript to call my function in the proper number of seconds:

setTimeout('sessionWarning()', sTimeout);

Lastly, my "warning" function is a simple alert. You can use DHTML instead of an Alert or any other JavaScript obviously. But the alert is the simplest way to get your message across.

function sessionWarning() {
   alert('Hey bonehead, your session is going to time out unless you do something!');   
}

There ya go. To use this on your site you could simply include it in your layout code. Of course, you want to ensure it isn't loaded if the user isn't logged in.

Comments (32) Sep 20, 2006 3:24 PM Views: 16826

Comments

[Add Comment]
Nice post Ray. Along those same lines, I have been fooling around with the idea of allowing users to set up a "heart beat" Javascript method. This would be for admin-type sections, not for the public. The idea is that a user could opt to be kept logged in (via a user pref. page) by having a Javascript method that Pings the app every X seconds.
# Posted By Ben Nadel | 9/20/06 3:55 PM
I think in the old days (app.cfm, not app.cfc), you could cheat and rerun the cfapp tag with a different timeout. ;) I think. Just ignore me, that's a bad idea. :)
# Posted By Raymond Camden | 9/20/06 4:00 PM
Yeah, I dont think you can do that anymore. I was recently experimenting with that idea to see if I could force kill an applicaiton / session by re-running the app tag with zeroed-out timespans.

No luck.
# Posted By Ben Nadel | 9/20/06 4:02 PM
Lord forbid CF make that easy for us. Along with getSessions(), etc. (Ok, I won't complain about that again.)
# Posted By Raymond Camden | 9/20/06 4:04 PM
I had this idea for using a CFHTTP page grab sending CFID/TOken in the URL... as in:

<cfhttp url="http://.....kill.cfm?cfid=##&cftoken=##"; />

Then that page would define the CFApplication tag with no timespan (or < 1 second or something). I never got it to work though. I think part of the problem was that the calling page (page performing CFHTttp) has the same session (in my testing). I would need to set up a scheduled task that did not have a session do call something like that... but then it wouldnt have access to the original CFID/CFTOKEN...

ok, now I am rambling.
# Posted By Ben Nadel | 9/20/06 4:26 PM
How effective is this when a user open a new tab and now has two windows open with the app? I'm assuming you will get two different pop-ups at two different times, and the first one will not be an accurate representation of the time left in the app. Is that correct?
# Posted By Sami Hoda | 9/20/06 5:50 PM
Just a word on the Javascript setTimeout function. I love it, but recently i wreaked havock on one of my apps. I was using setTimeout for a timed page redirect to serve up some PDF files created by CFDOCUMENT. These pages contained cfcontent and cfheader tags. For weeks I could not figure out why images where not appearing on my pages. With further testing I removed the setTimeout function and the images worked perfectly.
# Posted By TJ Downes | 9/20/06 6:38 PM
Sami: Absolutely. Most likely that would be the rare case though.
# Posted By Raymond Camden | 9/20/06 7:53 PM
Could do something crazy. Like use a popup div rather than a alert. The let the user continue his session if before time out. If timeout passes, have him login before posting the content of a large form. AJAX is a marvelous thing!
# Posted By John Farrar | 9/20/06 8:46 PM
Ray,

GetSessions()... now THAT would be cool... I have SEVERAL uses for that
# Posted By Sid Wing | 9/20/06 9:57 PM
Hi Ray - I do this with a div popup and I do introspect the app for the session timeout: this.sessiontimeout returns the timeout in seconds. Maybe this is only an option with Application.cfc.
# Posted By Rob Pilic | 9/21/06 11:34 AM
@Rob,

I'd love to see that if possible.
# Posted By Sami Hoda | 9/21/06 11:41 AM
rob: the problem though is that you wouldn't have access to that outside of the app.cfc file. You would need to do something like this in onapplicationstart:

application.stimeout = this.sessiontimeout
# Posted By Raymond Camden | 9/21/06 1:01 PM
Ray: are you sure? If I dump the 'this' scope on any page I see everything in app.cfc, including the on-event methods. I have an include file for the javascript session timer stuff that refences this.sessiontimeout directly and it seems to work ok, though now I am getting nervous :-)

Sami: I did this a while ago so I am grimacing a bit as I look at it now, but essentially I have a table with my alert message that is hidden off the browser screen (visiblity:hidden; left:-100px, top:-100px;). Then I set the timeout value on the page:

timeout = (this.sessiontimeout * 1000) - 1500

I give them an extra minute plus so the CF session doesn't end before they can respond to the alert. When the session timer runs down I change the class of the table so it's visible and give the user 60 seconds to respond. If the 60 second timer runs down without any response from the user, I location.href them to a page that clears their session and displays a message that they have been automatically logged out. I like this because this way they won't fill out a long form and click submit, only to be told that their session has expired. I'd be glad to send you the code, just shoot me an email at robertpilic AT yahoo DOT com if you're interested.
# Posted By Rob Pilic | 9/21/06 1:39 PM
Woops I should've copied and pasted - it's actually

timeout = (this.sessiontimeout * 1000) - 90000
# Posted By Rob Pilic | 9/21/06 1:49 PM
Ah - you have the onRequest method. One of the "side effects" of using onRequest is that it copies the app.cfc stuff to the page. If you don't use onRequest (which most folks don't), then you don't have that.
# Posted By Raymond Camden | 9/21/06 2:48 PM
Ah yes, I see that now in livedocs as well. I think I'll switch to your suggestion of doing something like application.stimeout = this.sessiontimeout in app.cfc. I don't want a "side effect" in production code. Thanks for the tip!
# Posted By Rob Pilic | 9/21/06 3:11 PM
Hey Ray, I have been wanting to something like this for a long time. I just implemented this at my work, and it works great!

Thanks...
# Posted By Ketan | 9/22/06 12:06 PM
Hi, is there a way to get value of Session time out, no matter it is set in Cf adminstrator or application.cfc?
Thanks,
# Posted By dave | 11/9/06 11:16 AM
I don't think so. I'm sure you could via ServiceFactory, but I wouldn't recommend that. I'd just store it as a variable.
# Posted By Raymond Camden | 11/9/06 1:40 PM
Hey, Ray,
Thanks for the response so quickly. I might not state my throught clearly.
Anyway, You said you would like to store it as a variable. How to do this? I am still using CFMX 6.
# Posted By dave | 11/9/06 2:09 PM
If you look at my first code block, you will see I hard coded sessionTimeout. You would just change 2 (the number of minutes) to the real number for your application.
# Posted By Raymond Camden | 11/9/06 2:12 PM
Oh, ok, hard code.
# Posted By dave | 11/9/06 4:26 PM
Dude!
Do an iTunes search for "javascript".
There's actually a song called "Javascript Functions".
# Posted By Phillip Senn | 11/18/06 8:48 PM
Scary.
# Posted By Raymond Camden | 11/19/06 9:51 PM
How can you insure thie alert is on top of any programs you have open? Is that possible? You know we have mulitple apps open at once. It would be good to actually see the reminder no matter program you are in?
# Posted By valerie | 12/28/06 3:09 PM
I think it depends on the OS and your settings. For me, a browser alert will NOT take over focus if I am using another app, and that is nice. (Personally I despise it when an application steals focus. No one app should be able to stop you using another app.) At minimum it should be on top when then browser is being used.
# Posted By Raymond Camden | 12/28/06 10:22 PM
I don't have CF 7.0. Is there anything similar toScript in previous versions?
# Posted By JC | 3/1/07 5:16 PM
@JC
I don't know why no one thought your question was worth a response, but you can try this:

sessionTimeout = 60000 see above

var sTimeout = #sessionTimeout#
# Posted By I Rz | 3/23/07 12:54 PM
I'm trying to use a confirm dialoge box to continue the session, but I'm having this problem - while the dialogue box is open, the session timer is stopped. So if the person really did walk away and leave the window open, it never times out and the next person can come along a day later and continue their session.
How can I make the dialogue box itself time out if it gets no response?
----
var revive = window.confirm("Your session is about to time out. Do you want to continue?");
   if(revive){
var imgAlive = new Image();
   var d = new Date();
   imgAlive.src = 'alive.cfm?d=' + d;
   }else{
    location.replace("App_Instructions.cfm");
   }
# Posted By Kevin | 5/8/07 2:40 PM
..nevermind, the whole dialogue box thing was clumsy and annoying, anyway. I just made my own timer, and put it at the top of the page with a reset button next to it.

If the user doesn't pay attention to it, it's their own fault.

----
For security, page will time out in
<input type="button" id="timebtn" value="20 minutes 0 seconds." onClick="keepAlive()">
Click button to reset timer and continue entering data.
# Posted By Kevin | 5/8/07 3:50 PM
I have a page wherein i need to logoff user by querying database after some idle time. thank you for this.
i greatly appriciate it.
# Posted By kapitannwel | 2/19/08 9:46 PM
[Add Comment]