This article describes two methods that you can use to automatically log a user out of your Web application.
In the first method, you learn about the Refresh HTTP Response Header and how to add it to your HTML page to redirect a user to a logoff page.
In the second method, you use HTML, Active Server Pages (ASP), and Microsoft Visual Basic Scripting Edition (VBScript) to produce a more sophisticated solution by using the VBScript method setInterval
.back to the top Requirements
The following items describe the recommended hardware, software, network infrastructure, skills, knowledge, and service packs that you need.
- Internet Information Services (IIS) 3.0 or later.
- Internet Explorer 4.0 or later.
You also must have knowledge of the following:
back to the top Use the HTTP Response Header to Log a User Off from a Web Application
- A working knowledge of HTML.
- Familiarity with ASP and VBScript.
The first and easiest way to log a user off from a Web application is to use an HTTP response header to redirect the browser after a certain length of time.
back to the top Use the SetInterval Method to Log a User Off from a Web Application
- Open a text editor, such as Notepad, and then type the following HTML content:
The <META> tag redirects the browser to Logoff.htm after ten seconds (unless the user refreshes the page, or loads a different page). The page redirection occurs automatically even if the user is interacting with the page at that time. In practice, a timeout of 20 minutes (1200 seconds) is typically used with this type of redirection.
<HTML><HEAD><META HTTP-EQUIV="REFRESH" CONTENT="10;URL=Logoff.htm"> <TITLE>Redirect Demo</TITLE></HEAD><BODY><H1>You will be logged out after 10 seconds</H1></BODY></HTML>
- Save this file as RedirectDemo.htm.
- Create a new file in Notepad, and then type the following HTML content:
<HTML><HEAD> <TITLE>Redirect Demo - Logoff Page</TITLE></HEAD><BODY><H1>You have been logged out</H1></BODY></HTML>
- Save this file as Logoff.htm in the same folder as RedirectDemo.htm.
- Start Internet Explorer, and then load RedirectDemo.htm. The page displays the message "You will be logged out after 10 seconds."
After ten seconds, the text "You have been logged out" appears. By looking in the Address bar, you can see that you have been redirected to Logoff.htm.
If you require more control over the redirection of the user's browser, you can use the window.setInterval
method in script. This causes a subroutine to be called at every instance of the interval.
Each time the user does something on the page, such as clicking an element, or moving the cursor, you can clear the old interval, and then create a new one. This effectively resets the interval to zero, to delay the interval.
back to the top Verification
- Open a text editor, such as Notepad, and then type the following ASP content:
The OnClick, OnMouseMove, and OnKeyPress events of the <BODY> tag trap any user interaction on the whole page and delay the interval. The user is only logged off from the page if no activity occurs for five seconds.
<%@Language=VBScript%><%' Prevent non-authenticated accessIf Session("UserID") = "" Then Response.Redirect("Logoff.asp") ' Prevent page from being cachedResponse.Expires = -1 %><HTML><HEAD><TITLE>setInterval Demo</TITLE><SCRIPT LANGUAGE=VBScript>Dim timerSub Init() ' Set up the timer. Set it for 5 seconds timer = window.setInterval("Logout", 5000)End SubSub Logout() ' Take whatever action is required at this point MsgBox "Logging out..." window.location = "Logoff.asp"End SubSub Delay() ' Delay the logout clearInterval(timer) InitEnd Sub</SCRIPT></HEAD><BODY OnLoad="Init" OnClick="Delay" OnMouseMove="Delay" OnKeyPress="Delay">This page is a test of automatic logout</BODY></HTML>
- Save this file as SetIntervalDemo.asp in the default Web folder on your computer (which is typically C:\InetPub\wwwroot).
- The Session("UserID") variable must be created when the user is authenticated, and you must use the server-side ASP script at the top of the code sample in step 1 on every secure page to make sure that only authenticated users can view them.
For the purposes of this example, create a new file in Notepad, and then type the following ASP content:
<%@Language=VBScript%><%Session("UserID") = "user"Response.Redirect "SetIntervalDemo.asp"%><HTML><HEAD> <TITLE>setInterval Demo - Establish Session</TITLE></HEAD><BODY></BODY></HTML>
- Save this file as StartSession.asp in the same Web folder as SetIntervalDemo.asp.
- Create a new file in Notepad, and then type the following ASP content for the logoff page:
<%@Language=VBScript%><%' Flushes authentication information for the user and ends the sessionSession.Abandon %><HTML><HEAD> <TITLE>setInterval Demo - Logoff Page</TITLE></HEAD><BODY><H1>You have been logged out</H1></BODY></HTML>
- Save this file as Logoff.asp in the same Web folder as SetIntervalDemo.asp.
In Internet Explorer, type localhost/StartSession.asp
in the Address bar. You are immediately redirected to the SetIntervalDemo.asp page, and the text "This page is a test of automatic logout" appears. The Address bar now displays "localhost/SetIntervalDemo.asp". As long as you move the cursor, click the mouse, or press any keys on your keyboard, nothing occurs. Five seconds after you stop doing anything, the browser redirects to Logoff.asp and the text "You have been logged out" appears. Notice that the Address bar now shows "http://localhost/Logoff.asp".back to the top