homepage Welcome to WebmasterWorld Guest from 54.167.177.180
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Google / Google SEO News and Discussion
Forum Library, Charter, Moderators: Robert Charlton & aakk9999 & brotherhood of lan & goodroi

Google SEO News and Discussion Forum

    
Which HTTP response code if Session Expired ?
aakk9999

WebmasterWorld Administrator 5+ Year Member



 
Msg#: 4548084 posted 11:02 pm on Feb 22, 2013 (gmt 0)

I am working with eCom site where after certain time the (cookie based) session expires. Hence, if the user is on the site, walks away for 20 minutes, and then returns back to browse, the user gets message "session expired".

This is needed since after 20 minutes the cart user has been creating "expired", so that the user is aware they need to start to create cart again.

At the moment when this happens, the server responds with 302 sending the user on the page with "Session expired...(etc.)" message. The URL of such page has additional parameter ?requestedURL=aaaa where aaaa is the URL user attempted to go to when the session expired message is returned.

Having noticed that Google has picked up some of these URLs (perhaps via toolbar or similar), we have stopped this script being accessible to Google via robots.txt and as a backup added noindex in the head section.

Is there a better way to handle this situation?

 

Andy Langton

WebmasterWorld Senior Member andy_langton us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4548084 posted 11:44 pm on Feb 22, 2013 (gmt 0)

I'd say a 307 (temporary redirect) is the "appropriate" response if you absolutely must redirect.

That said, if the message is merely informational and the user can still access the content, why do you need to change the URL at all?

Edit: there is also 408 (Request Timeout) which might work if you do not redirect.

TheOptimizationIdiot



 
Msg#: 4548084 posted 11:59 pm on Feb 22, 2013 (gmt 0)

What about a 303 See Other?

[w3.org...]

aakk9999

WebmasterWorld Administrator 5+ Year Member



 
Msg#: 4548084 posted 2:06 am on Feb 23, 2013 (gmt 0)

303 is no good as redirect goes to a special page that tells user that their session has expired.

@Andy Langton: I have to redirect (see below why).

The question is - should I redirect with 302 (which is doing currently), then respond with 200 when displaying "Your session has expired" (that page also has an explanation why the session has expired + nice menu for user to choose where to go next" or should I redirect with 307, but the second page still return 200 (as oposed to perhaps 503?)

Why I need to redirect:
The site is on IIS so it is a bit more complicated. Aparently, doing redirect to that particular page allows IIS to create a new session for the user once the user goes from "Your session has expired" page to any other page. Poping up the message would not do that. It is all to do how sessions are handled and how the memory caching is done (aparently almost the whole site is cached in server memory...).

g1smd

WebmasterWorld Senior Member g1smd us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4548084 posted 2:27 am on Feb 23, 2013 (gmt 0)

Just when I thought there was nothing left on the internet for Microsoft to break, along comes another example.

The error message should be returned at the currently requested URL. Their next click should start a new session.

aakk9999

WebmasterWorld Administrator 5+ Year Member



 
Msg#: 4548084 posted 11:24 am on Feb 23, 2013 (gmt 0)

Thans g1, I could ask that this is done this way, but what response code should be returned with a page that retains the same URL but shows session expired? 200 or perhaps 503?

TheOptimizationIdiot



 
Msg#: 4548084 posted 7:54 pm on Feb 23, 2013 (gmt 0)

I guess I got to the part about a 303 not being a substitute for the originally requested URI and thought it's exactly what you wanted to say, but I guess I must have misunderstood or somethin, which is not at all unusual for me lol.

The new URI is not a substitute reference for the originally requested resource.

I think both 302s and 307s say the new location is a different location for the content on the original URI and that didn't seem to be like the right answer to me, but who knows, it's all about Greek anyway. Probably best to do what g1smd says and not redirect.

neildt



 
Msg#: 4548084 posted 8:35 pm on Feb 23, 2013 (gmt 0)

Why are you coding a actual response code ? I'd direct the user to a normal session timed out page ?

aakk9999

WebmasterWorld Administrator 5+ Year Member



 
Msg#: 4548084 posted 1:09 am on Feb 24, 2013 (gmt 0)

Why are you coding a actual response code ? I'd direct the user to a normal session timed out page

This will return 200 if not done via redirect, but instead is done by IIS internal "server transfer". So this was my question - do I leave it 200 or should something else be returned.

Robert Charlton

WebmasterWorld Administrator robert_charlton us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



 
Msg#: 4548084 posted 8:34 pm on Feb 24, 2013 (gmt 0)

Just when I thought there was nothing left on the internet for Microsoft to break, along comes another example.

LOL. A classic comment, worthy of framing. ;)

That said, in this particular case, is there any reason that a crawler like Google needs to be aware of the header status at all once you've blocked the crawler? It's not like a 404, where the "not found" status is useful information... and where a 200, or even the absence of a 404 response, would create problems.

Google might make use of a 408... but basically you don't want Google to index whatever url/page it is that the shopping cart returns after a session time-out... and chances are your budget isn't large enough to re-engineer the cart. So I'd say that what you've done makes sense.

...we have stopped this script being accessible to Google via robots.txt and as a backup added noindex in the head section.

Using both robots.txt and noindex, as I know you're aware, negates part of what noindex does, which is to keep references to the url out of the serps... but chances are in a cart that you're not going to have that problem anyway. As a backup, in case robots.txt fails, "noindex" is probably not a bad idea. If you see any url-only results in the serps, then you should drop the robots.txt.

This is needed since after 20 minutes the cart user has been creating "expired", so that the user is aware they need to start to create cart again.

I'm assuming here that somehow the user's data is saved. If not, and "start to create" means re-entering product choices, I think I would look into re-engineering the cart, or, at the least, extending the 20 minutes. I can imagine that shoppers whose data is lost by a 20 minute distraction would often decide to go elsewhere.

aakk9999

WebmasterWorld Administrator 5+ Year Member



 
Msg#: 4548084 posted 12:20 am on Feb 25, 2013 (gmt 0)

Thank you on commenting Robert.
That said, in this particular case, is there any reason that a crawler like Google needs to be aware of the header status at all once you've blocked the crawler?

True, the response code is not important right now as the crawlers are blocked. However, if I ask for g1smd solution to be implemented, then I somehow think it is not right to return 200 if the page content says "Your session has expired" instead of showing the page content.

Using both robots.txt and noindex, as I know you're aware, negates part of what noindex does...
Yes, I know, but I have witnessed often enough robots.txt getting "lost" from the server, or being saved as UTF-8 (which makes Google not understanding it), hence the noindex fallback.

I'm assuming here that somehow the user's data is saved. If not, and "start to create" means re-entering product choices, I think I would look into re-engineering the cart, or, at the least, extending the 20 minutes. I can imagine that shoppers whose data is lost by a 20 minute distraction would often decide to go elsewhere.

Without going into specifics, products the site sells are unique, so at the time of adding the product in the cart, this particular product is "reserved" for this session and nobody else can buy it (as there is only one of them exactly like this). So whilst it is possible to re-create the cart (because server knows the old details), we cannot do this as there is no guarantee that this particular "product" is still available, as it is possible that between the time the session has expired and the time the user has been told that their session has expired, this particular product may be sold to someone else. This uniqueness of products is in fact the main reason why it is required that session expires after certain time - so that products in abandoned carts can be "released" and made available to others to purchase.

Since products are quite expensive, it is rare for the cart to have more than one product in it.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Google / Google SEO News and Discussion
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved