Wide area networks, such as the Internet, enable widespread publication and dissemination of information. Users who wish to login to a protected resource over such a wide area network typically authenticate themselves to that protected resource before being allowed access thereto. For example, the user may be asked to provide credentials, such as a username-password combination that is recognized as valid on the protected resource. By analyzing the username-password provided by the user, the protected resource can determine whether to grant or deny the user's request for access.
If the credentials provided by the user are valid and map to an actual identity, then the credentials are said to be authenticated. If the identity is allowed to access the protected resource, then the identity is said to be authorized to access the protected resource. If the user's credentials map to an identity that is allowed to access the resource, then a session is established for the user. The user may then access the protected resource using that session. Afterwards, the user is typically expected to explicitly log out of the session, or otherwise act affirmatively to terminate the session. However, users may often forget to log out or otherwise terminate the session, and instead may simply abandon the session, leaving it running, for example, unattended at a workstation. The session might thus become vulnerable to access by unauthorized persons, and the protected resource may be compromised by such unauthorized access.
To address the foregoing, protected resources may enact authentication polices. Such policies can specify a time limit on how long a user session can persist without some level of user activity occurring within that session. Such user activity can take the form of requests received in the context of that session. These time limits may help detect when a session has been abandoned, and can enable termination of such abandoned sessions to prevent compromising the protected resource.
Such time limit policies may assume that all requests associated with the session are user-initiated requests that should re-start the session timer. Increasingly, this assumption is no longer holding true. In a client-server environment, for example, client applications may automatically generate requests on behalf of sessions, whether or not the user is actively utilizing the session. These automatically-generated requests may continue to occur even if the user abandons the session. Thus, these automatically-generated requests may unwittingly defeat the above time limit policies, and may improperly extend the user's session.