Educause Security Discussion mailing list archives
Re: Web page automatic time out
From: Jesse Thompson <jesse.thompson () DOIT WISC EDU>
Date: Thu, 5 Jun 2008 09:17:52 -0500
Patrick P Murphy wrote:
On Thu, 29 May 2008 18:49:10 -0400, Morrow Long <morrow.long () YALE EDU> said:On May 29, 2008, at 4:38 PM, Kubb, Rick wrote:We’re looking for a way to have specific web pages automatically timeout after so many minutes of inactivity. For example, if an individual is viewing a web page with confidential information on it in a public place, say a walk-up computer at a conference, then walks away without closing the browser, what methods are available to have pages automatically close??? Any thoughts on this would be greatly appreciated.Here is one way -- note that it can be overcome if someone is really determined...Exactly. And when you're dealing with confidential information, it is likely impossible to guarantee a technological solution that will make a page "automatically close". The meta tags described in the previous post are probably the best way of doing this. Most of the common browsers will honour those, and I don't know offhand of an easy way to defeat them, especially the refresh one (though I'm sure a Firefox add-on could be written to do just that). Cookies, of course, can be ignored (and often are) by the web client, depending on the disposition of the user. You might also want to think "outside the box", for example does your University have a policy that enforces/mandates a locking screen saver after so many minutes of inactivity.
Another suggestion is to use javascript. Of course, you should timeout the session, etc, but that won't do anything until the page is refreshed or links are clicked. Javascript is another way you can get the browser to take an action without direct user involvement. This is what my bank does. You should be aware that javascript-blocking (such as the noscript FF extension) is becoming more prevalent as browser exploits that leverage javascript becomes more common. If you're relying on javascript as part of your security functionality, then you should make sure that the page does not display unless the browser supports javascript and it is enabled. This will force users to exempt the page from their javascript blocker before they can view the content. Jesse -- Jesse Thompson Email/IM: jesse.thompson () doit wisc edu
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Web page automatic time out Kubb, Rick (May 29)
- <Possible follow-ups>
- Re: Web page automatic time out Sarah Stevens (May 29)
- Re: Web page automatic time out Morrow Long (May 29)
- Re: Web page automatic time out Patrick P Murphy (May 30)
- Re: Web page automatic time out Cal Frye (May 30)
- Re: Web page automatic time out Jesse Thompson (Jun 05)