You know I'm curious, as I'm developing a site right now, I thought of an authentication process. I'll list it in steps:

1. User will appear at login screen. Instead of the username and password being the traditional -username and password, it will be more so.. like walking into a patdown in an airport before going threw the scanner.
2. Next perl script will execute a traditional mysql query match, and if true some random number gets generated and outputted to the user, this doesn't flag the authentication flag in the database yet though.. however a cookie is sent / a new CGI session.
3. The user will then be in more so of a.. contained locked down authentication state any dynamic data that needs to be updated by the user (just data stored in database) will be accomplished here.. Once the user triggers an event that we know the user is done updating the database of information, step 4 occurs..
4. The next perl script, will search for an email from user, validate the validation code, and username. If authenticated, the old cookie is destroyed and a new one is created and stored on users computer, if authentication failed the script prompts a new validation code and ask to repeate so user doesn't rage face from lossing data that they already updated (but this data was more so temporary).
5. ajax will bassically load a new page for user, and they have access to my main product/functionallity.. which is actually a dynamic and static sms web content group page where other users can be assigned to a group and see people's sms updates, which are actually commands that I parse in perl when their browser consistantly request a perl script that manages the messages. Really cool, I'll show you guys the link to a small demo if you want.

Now here is the catch, since their browser will request a different perl script every 5000ms to check for sms commands/updates, why not connect it to another more... logical script that destroys the user's session after 15000ms of no ajax requesting the mail processor?

I can't think of how to do this programatically, setting up this session destroy when a script is not executed after 15000ms.. The only thing I can think of is printing a variable to a perl script that would flag something not to delete session, but even that I'm unsure how to tackle it.

And the way my site is set up, is perfect for an operation like this to happen. This measure of secury flows in well with what the users are doing since its very specific, if that makes sense.

Let me know what you guys think