Hi,

I'm building a B2C mobile application, and the UX team approved that the authentication will be persistent, and it will be like 365 days for cookie expiration. but in the other hand we have to force the user to submit his device fingerprint every "CLIENT" session timeout which is it will be like 15 mins of idle time.

So we have a client session timeout (15 mins) and server session timeout (365 days),

and the question here that i need to catch the "Client" session if it has timed-out so i can force the user to enter his fingerprint so he can complete the application scenarios.

how can i achieve that?

Hi Sherif,

Here's a possible high level solution for your scenario:

  1. Save a timestamp with the last client authentication provided to a local storage entity.
  2. Check that timestamp on application resume.
  3. If 15 minutes have passed, prompt for authentication;
  4. If 15 haven't passed, use a javascript setTimeout to schedule the next prompt.

Hope this helps.

João Pedro Abreu wrote:

Hi Sherif,

Here's a possible high level solution for your scenario:

  1. Save a timestamp with the last client authentication provided to a local storage entity.
  2. Check that timestamp on application resume.
  3. If 15 minutes have passed, prompt for authentication;
  4. If 15 haven't passed, use a javascript setTimeout to schedule the next prompt.

Hope this helps.

Thanks for your reply João,

but excuse my understanding.
for the 2nd step i'll check in the application resume and application ready also.

but in the 4th step i should reset the timeout to be started if the application being idle or being closed, so that the timer will start working if the user left the application or closes it.

How can i check for the application being idle or closed to reset the timestamp value in the local storage?


As I see it, when the user leaves or closes the application you don't need to do anything. You can check the 15 minutes have passed when the user comes back. If they have passed, prompt for authentication, if they haven't, clear the existing timeout (save it to a global variable on creation) and start a new timeout, with the 15 minutes minus whatever time has passed since the last timestamp.

João Pedro Abreu wrote:

As I see it, when the user leaves or closes the application you don't need to do anything. You can check the 15 minutes have passed when the user comes back. If they have passed, prompt for authentication, if they haven't, clear the existing timeout (save it to a global variable on creation) and start a new timeout, with the 15 minutes minus whatever time has passed since the last timestamp.

i should reset the 15 mins counter while the user interacting with the application.

The main idea is check for a non-interacting time with the application if he closed or being in an idle state for 15 mins (Client-side session timeout), so i can prompt the user to enter fingerprint.

this timer should be restarted at every interaction with the application.

i hope you got my idea, and thanks for your efforts.