Skip to content
English
Sign in
Contact us
  • There are no suggestions because the search field is empty.

Session Resilience & Timeout Behavior (VZOHub)

Understand how session expiration, extension, drift detection, and lockout protection work in VZOHub. This feature protects against silent timeouts and provides a foundation for session intelligence in VZOS — while also supporting legacy systems like VZOrientationCommon.

1. What Is Session Resilience?

Session resilience ensures that user sessions do not silently expire. It combines a visible countdown, real-time drift detection, and secure session extension options to create a seamless, secure experience.

Benefits:

  • Prevents data loss on long forms

  • Reduces user confusion from unexpected logouts

  • Establishes groundwork for identity-aware behavior in VZOS

2. Where It Runs

  • Injected globally in VZOHub via SessionTimeout.ascx

  • Optional top-right countdown timer next to profile icon

  • Functional on all authenticated pages

  • Powered by:

    • SessionPing.asmx (heartbeat)

    • SessionKill.asmx (manual expire)

    • Session.aspx (QA diagnostic interface)

3. How It Works

  • Default Timeout: 20 minutes (can be adjusted in web.config)

  • Warning Modal: Appears at 2 minutes remaining

  • Extend Session: Clicking "Yes" triggers a server-side refresh via Ping()

  • Decline Session: Clicking "No" ends the session via Kill()

  • Timeout Behavior: If user takes no action, system triggers a lockout

4. QA Testing Tool

  • Page: /Hub/Tools/Diagnostics/Session.aspx

  • Shows countdown timer

  • Logs events (ping, modal display, decisions)

  • Includes buttons to manually simulate timeout

  • Used to confirm behavior for all 9 session scenarios

5. Drift Detection Logic

  • System checks Session["LastActivity"] every 30 seconds

  • If the difference between local time and server activity > 5 seconds, the timer adjusts

  • Keeps multiple open tabs in sync

6. Failsafe Behavior

  • If the session has already expired before the modal appears, a lockout screen is shown immediately

  • Prevents confusing UX and guarantees consistency

7. Security Considerations

  • All session logic is backed by server-side checks using HttpContext

  • Drift logic is read-only unless user confirms extension

  • Future roadmap includes:

    • Device/IP trust tracking

    • Admin session dashboards

    • Role-based session lifespans

8. Compatible with VZOrientationCommon

Yes — this design is fully backward compatible.

  • SessionTimeout.ascx can be used in VZOrientationCommon

  • Web services (SessionPing, SessionKill) use ASP.NET 4.8-compatible architecture

  • Helps unify session behavior across platforms

9. Customer Service Guidance

When users ask: “Why did I get signed out?”

  • If before modal: user was inactive too long

  • If clicked "No": session ended by user

  • If ignored modal: timer hit 0:00 and expired

  • Advise them to sign back in from /SignOut.aspx redirect

10. Future Direction

This feature is the groundwork for a more advanced Session Awareness Agent:

  • Behavioral identity & role-based timers

  • Centralized admin monitoring

  • Session fingerprinting for SSO use cases

  • Compatibility with AI-driven context locking (VZOS Roadmap)