Educause Security Discussion mailing list archives

Re: Web page automatic time out

From: Jesse Thompson <jesse.thompson () DOIT WISC EDU>
Date: Thu, 5 Jun 2008 09:17:52 -0500



Patrick P Murphy wrote:

On Thu, 29 May 2008 18:49:10 -0400, Morrow Long <morrow.long () YALE EDU> said:

On May 29, 2008, at 4:38 PM, Kubb, Rick wrote:

We’re looking for a way to have specific web pages automatically
timeout after so many minutes of inactivity.  For example, if an
individual is viewing a web page with confidential information on it
in a public place, say a walk-up computer at a conference, then walks
away without closing the browser, what methods are available to have
pages automatically close???  Any thoughts on this would be greatly
appreciated.

Here is one way -- note that it can be overcome if someone is really  
determined...


Exactly.  And when you're dealing with confidential information, it is
likely impossible to guarantee a technological solution that will make a
page "automatically close".

The meta tags described in the previous post are probably the best way
of doing this.  Most of the common browsers will honour those, and I
don't know offhand of an easy way to defeat them, especially the refresh
one (though I'm sure a Firefox add-on could be written to do just that).

Cookies, of course, can be ignored (and often are) by the web client,
depending on the disposition of the user.

You might also want to think "outside the box", for example does your
University have a policy that enforces/mandates a locking screen saver
after so many minutes of inactivity.


Another suggestion is to use javascript.

Of course, you should timeout the session, etc, but that won't do
anything until the page is refreshed or links are clicked.  Javascript
is another way you can get the browser to take an action without direct
user involvement.  This is what my bank does.

You should be aware that javascript-blocking (such as the noscript FF
extension) is becoming more prevalent as browser exploits that leverage
javascript becomes more common.  If you're relying on javascript as part
of your security functionality, then you should make sure that the page
does not display unless the browser supports javascript and it is
enabled.  This will force users to exempt the page from their javascript
blocker before they can view the content.

Jesse

-- 
  Jesse Thompson
  Email/IM: jesse.thompson () doit wisc edu

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Current thread:

Web page automatic time out Kubb, Rick (May 29)
- <Possible follow-ups>
- Re: Web page automatic time out Sarah Stevens (May 29)
- Re: Web page automatic time out Morrow Long (May 29)
- Re: Web page automatic time out Patrick P Murphy (May 30)
- Re: Web page automatic time out Cal Frye (May 30)
- Re: Web page automatic time out Jesse Thompson (Jun 05)