Monday, February 27, 2012

SkillBuilders Session Timeout Plugin

It's about time!

I have had this plugin sitting around half-finished for far too long, and with the help of Dan McGhan it is now ready to be released into the wild.

Why Create a Session Timeout Plugin?

Some of you may be asking "Why would someone create a plugin when there is already built in functionality for detecting idle sessions?" Well, the problem arises when the user becomes idle and is unaware that their session is no longer valid. There is a common use case where the user's session becomes idle, but the user is not informed. When the user attempts to interact with the page, AJAX interactions do not work correctly, and when the user finally submits the page they are redirected to login page. That scenario is OK, but I think we can all agree it would be nice to make the user aware of the current status of their session. Before plugins existed, Martin D'Souza created a nice solution to this problem, but it requires some setup. Now that plugins exist the setup can be bundled into one easy to install package.

What does Session Timeout do?

SkillBuilders Session Timeout is a dynamic action plugin that attempts to bridge the gap between server and client when it comes to handling idle sessions. To define session idle length and where to send idle sessions, the plugin uses the properties defined in the security section of the application (If these attributes are not specified the plugin defaults to 30 minute idle time and the redirect URL is the home page).


When an idle session is encountered the plugin can perform one of these Timeout Actions:
  • Alert (default) - An alert message is displayed to lock the screen and inform the user.
  • Redirect - The user is redirected using the On session idle time timeout direct to this URL found in the security section of the application properties. If no value is specified then the user will be redirected to the home page for the application.
  • Logout - Redirects the user to the Logout URL defined in the applications authentication scheme.  If no Logout URL is defined then the following value will be used: apex_authentication.logout?p_app_id=&APP_ID.&p_session_id=&SESSION.
Other options:
  • Keep Session Alive - While the user remains active the server session will be refreshed with an AJAX call.
  • Session Idle Warning - This is a message that will be displayed before the session becomes idle.
  • Mask Browser Screen on Timeout -  This is an extension for the alert action and will create an overlay which hides the contents of the current page when the alert is created.
Installation Instructions

For installation instructions take a look at the Plugin Documentation.
To download the plugin visit the SkillBuilders plugin page.
Visit the demo application to see the plugin in action.



10 comments:

  1. Hi Tyson,
    Many thanks for excellent work on this. I have one quick question, i need to provide session extend option with timer counter displayed, how can i achieve the same with this plugin.
    Thanks & regards
    Aadi

    ReplyDelete
    Replies
    1. Aadi,

      We chose not to include a timer for security reasons. One available solution with this release is to check the "Keep Session Alive" and "Session Idle Warning" options. If the user acknowledges the warning message then the session will be extended. In addition, as long as the user is active their session will be extended every minute.

      We were also debating providing a warning and a timeout event so you could have complete control over what happens and the plugin would just provide the timing. That is not in the current release, but is that something you would use?

      Regards,
      Tyson

      Delete
  2. Thanks for quick response. So, I will need to work with the js files by checking these options to achieve the same. Technically, my app is SSO (app server) enabled therefore, timeout should only be directing back to home/launch page. The most important thing will be, the OK btn response to warning msg should reset the Keep Session Alive option. I will have to review the plugin first.
    Thanks,
    Aadi

    ReplyDelete
    Replies
    1. Aadi,

      The OK button will indeed refresh the session if Keep Session Alive is checked. If you go into your application settings and set the Idle Session URL to be your home/launch page then the Redirect Timeout Action will take the user to that location. If there is no value there then the plugin will redirect to the current applications home page.

      Good Luck,
      Tyson

      Delete
  3. Thanks Tyson, I will try this out tonight.
    ~Aadi

    ReplyDelete
  4. Hi Tyson,

    i installed your plugin on Apex 4.0.2 on Oracle-XE 10g (Linux 32bit). After creating a Page 0 with a dynamic action, i started the Application, but befor the login screen arises, i got the errror message:

    ORA-01008: not all variables bound


    Error in PLSQL code raised during plug-in processing.

    What can i do?

    Wolfgang

    ReplyDelete
    Replies
    1. We released a patch that should fix that. In the PL/SQL block change :APP_ID to APEX_APPLICATION.g_flow_id. I am not sure why it is not bound before that block gets executed, but it appears to cause an issue with some configurations.

      Delete
    2. Hi Tyson,

      thanks for that hint, where can i get this patch and are there additionaly fixes in that patch?

      regards,
      Wolfgang

      Delete
    3. That is the only change made to the plugin. Let me know if there are any other features you wish were included.

      The best way to get the changes is to download the latest version from http://skillbuilders.com/plugins, but you could just change the bind to get the same result.

      Delete
  5. This comment has been removed by the author.

    ReplyDelete