6

Some banking and financial sites auto logs out when it thinks you are idle. Is there a way for me to inject a script into the page that can fake that I am not idle?

I tried this: setInterval(() => document.body.click(), 1000 * 60 * 5) // Click every 5 minutes

but it did not work and I still got logged out:

enter image description here

Again, this is not intended for any malicious purpose - I monitor my stock positions on Fidelity by keeping my stock positions screen open in one monitor while I do my work on the other monitor but Fidelity keeps showing an idle warning and logs me out every 30 minutes.

Note, in this particular case, the site is listening to click, touchstart, keydown and scroll events as well document.visibilityState:

enter image description here

Some notes:

  1. I cannot simply refresh the page every x minutes because the page has some UI state (e.g. sort order of my positions in a table) that would get lost

  2. I tried a dumb pyautogui script that moves my mouse and clicks on the page and that works! So why cannot I do this in chrome?

Improve this question
21
  • What is click? That's not a built-in browser method, and you only have it defined later down in a different closure. Have you tried inspecting your browser extension and checking the console for errors?
    – sheng
    Commented Feb 14 at 19:31
  • @sheng: Updated to document.body.click()
    – pathikrit
    Commented Feb 14 at 19:55
  • @cssyphus: Sure, but what script to write so that it does not trigger inactive detection
    – pathikrit
    Commented Feb 14 at 19:56
  • Did you reverse engineer how there inactive detection works? Don't think there listening to click events on the body, you'll need to find that out before you could write some js to counter it.
    – 0stone0
    Commented Feb 14 at 20:07
  • @0stone0: I don't want to build one for each and try to handle individually what each site does. I was wondering something generic that would work (e.g. somehow trigger focus and then trigger back) that would work no matter what detection mechanism any site is using
    – pathikrit
    Commented Feb 14 at 21:00

2 Answers 2

Reset to default
0

As a full-stack programmer, you should know that a web application which does not implement timeouts serverside is going to be very insecure. I.e. to prevent timeouts you need to generate requests which are not cacheable and which hit the application logic (not static content). There is no generic solution to this - you need to study the application to find a URL can hit which will update the session activity without generating any financial transaction.

Improve this answer
3
  • The site does not log me out if I do something (e.g. simply scroll around) on the page. So even if site is doing serverside stuff, I could theoretically mimic interaction on the site and prevent timeout. A really dumb Python program using pyautogui which clicks on the window works! That's why I posted the original question asking if there was a way to do this using a Chrome extension.
    – pathikrit
    Commented Feb 16 at 14:55
  • Then either the site is not very secure or it's making requests serverside which you should be able to see in developer tools (or it's doing really dumb stuff with web sockets)
    – symcbean
    Commented Feb 16 at 15:31
  • 1
    The site is quite secure - its fidelity.com - its watching for mouse, scroll events and makes periodic requests to digital.fidelity.com/prgw/digital/login/session-timeout/… My question is if I simply manually click on the site every 15 minutes it does not log me out or even if I click with a robot clicker. So why can't I do this with a chrome extension.
    – pathikrit
    Commented Feb 16 at 16:56
0

I would inject an iFrame into the page and then keep refreshing the iFrame.

Something like this in jQuery:

$('body').append('<iframe id="pulse" style="width:0;height:0;border:none"></iframe>')

setInterval(()=>{$('#pulse').url = 'http://' + '&blah=' + Math.random()}, 1000*60*5);
Improve this answer

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Not the answer you're looking for? Browse other questions tagged or ask your own question.