Monday, August 25, 2014

Fail to handle the session properly, and make your site useless

I was recently on vacation abroad. Just before taking the flight back home, I embarked on the mundane task of doing the online check-in for my return flight. The process started nicely, on what looked like a modern and well designed site; it was obvious that a lot of care went into creating that site.

Then, I arrived at the page where you need to enter information about yourself and family members traveling with you: passport number, expiration date, address of residence, information about the green card when it applies, and so on. In my case, with 4 family members, that was a pretty long page. I had all the passports handy, but it still took me maybe 10 minutes to enter that information. Apparently, I wasn't fast enough: upon pressing the Next button, I got that dreadful your session has expired message.

I ended up preparing all the information required for the form in a text file, so I could just copy-paste it very quickly, and fill out the form before the session could expire. Check-in done. But I seriously doubt that many people manage to get through this process. See such a nicely designed site completely fail because of a session issue is a shame.

The thing is that doing it right isn't as easy as it seems. You have to deals with competing requirements:

  1. Having a session last for a longer time is worse for security and uses more resources on your servers.
  2. But of course, the session should last long so the site is actually usable, and users don't get a session expired while filling out a form.

Say you setup your server to have the session last only 10 minutes, favoring security and lower resource usage on your server. The issue is that the "counter" typically gets reset every time users submit a form, e.g. click on the next button in a wizard. This means that if you have a long form, you're saying your users must fill it out in less than 10 minutes, which might not be possible. But of course, you can do better:

  1. Why not "reset the counter" every time users fill out a field? This way, whatever the length of the form is, the session will only expire after 10 minutes of true inactivity.
  2. If you want to be more aggressive about keeping the session alive, why not prevent it from expiring as long as users have a tab open pointing to your site?

Orbeon Forms does both. Out-of-the-box1. And we think every site should do the same. (Especially if those I use to check-in before an international flight with 4 family members.)

1 In Orbeon Forms, the feature that keeps the session alive as long as users have a tab open is called session heartbeat. Since doing this does put more strain on your servers, you have the option of disabling session heartbeat.

No comments:

Post a Comment