Many web sites implement security by way of encrypted authentication tokens placed on the client as browser cookies. Many of the sites have a session time, after which the authentication tokens become invalid and require that the user re-submit a password to restore the session. This can be very disruptive to the user. For example, a user composing an email message will not be aware that the authentication token has expired. When the user subsequently attempts to submit the email message, the user will be prompted with a “Re-enter your password” page. Not only will the disruption preclude the email message from being sent, but the user will also have to re-create the email message.
To decrease the potential for such a disruption, some web sites have implemented “rolling time windows.” This means, if a user's session time is two hours, and there is no session activity for the two hours, then before the next request is processed, the user will be prompted to re-authenticate by providing a password again. However, this approach poses a security problem. It is possible for someone to steal a user's cookies containing the encrypted authentication tokens, and thus, the user's identity. The thief can then infinitely maintain the user's identity by simply executing a script to automatically refresh a page or perform some other session activity at regular intervals that are less than the session time-out period.