• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Session Expiry

 
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Can someone tell me how to determine a session is expired?
I am currently using HTTPServletRequest.isRequestedSessionIdValid() method to determine if the sesion has expired. But, i am not getting a onsistent result all the time. I ma using ATG Dynamo Application Server.

Thanks in Advance
 
Ranch Hand
Posts: 101
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I do not believe there is a way to determine if the Session has expired since when it does expire, it is removed and invalidated.
You do have two options thought. First, create a class that implements HttpSessionListener, specifically the sessionDestroyed method, and register it in web.xml as a <listener>. This method will be called for each Session that is destroyed and allow you to know when a Session is about to be destroyed.
Second, you can just call HttpServletRequest.getSession as you always do and check the HttpServletRequest.isNew() method to see if that Session was just created. If it is new and you don't expect it to be, the previous Session has been destroyed.
Hope this helps.
 
Ranch Hand
Posts: 326
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator


This method will be called for each Session that is destroyed and allow you to know when a Session is about to be destroyed.


The listener won't be notified until after the Session has been destroyed. Not a big difference if all you want is to be notified when it is destroyed, but could be important if you wanted to get something from the session before it was destroyed.
 
Author and all-around good cowpoke
Posts: 13078
6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

The listener won't be notified until after the Session has been destroyed. Not a big difference if all you want is to be notified when it is destroyed, but could be important if you wanted to get something from the session before it was destroyed.


Very true - the solution is to make a class that holds the data you need to keep when the session is destroyed and have that class implement the HttpSessionBindingListener interface. The object will be notified whenever it is being removed from a session, either when your program invalidates it or when the servlet engine destroys the session.
Bill
 
Joseph Jegan
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
All,
Thanks for answering my question.
Let me give more details on my requirements. In our web.xml, we have configured session-timeout to a value of 15 minutes. So, our webcontainer will automatically removes the session if the last accessed time goes more than 15 minutes. Now, we need to show a session expiry page which says "Your Session has Expired" whenever a request belonging to the expired session hits the webcontainer.
So, what logic should i use to determine a request belongs to a expired sesion or not.
Thanks
Joseph
 
Ken Robinson
Ranch Hand
Posts: 101
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
In all of our pages we have the tag <meta http-equiv="Refresh" content="1200; URL=./InvalidateSession.html"> in the <head> section of the page. After 20 minutes (1200/60), the browser redirects the InvalidateSession.html URL. We map that to a Servlet that does what it needs and explicitly invalidates the Session.
By doing it this way, the user knows exactly when they have timed out instead of waiting until their next page request. We usually display the 'timeout' message on the login screen so they know that's what they have to do.
Otherwise, if you want to check for it on the server side, get the session and get the isNew() method. If it's new, it's either the first time the user has hit the site or their previous session has been invalidated.
 
Sheriff
Posts: 7001
6
Eclipse IDE Python C++ Debian Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
In all of our pages we have the tag <meta http-equiv="Refresh" content="1200; URL=./InvalidateSession.html"> in the <head> section of the page. After 20 minutes (1200/60), the browser redirects the InvalidateSession.html URL. We map that to a Servlet that does what it needs and explicitly invalidates the Session.
Excellent idea! I needed to do something like this a few months ago and I wish I'd thought of this simple solution. D'Oh!
 
Ken Robinson
Ranch Hand
Posts: 101
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Frank Carver:
Excellent idea! I needed to do something like this a few months ago and I wish I'd thought of this simple solution. D'Oh!


I'd like to take credit for it, but I believe I read about it somewhere else (can't remember) and had the same 'Doh' response.
 
Ranch Hand
Posts: 452
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
In all of our pages we have the tag <meta http-equiv="Refresh" content="1200; URL=./InvalidateSession.html"> in the <head> section of the page. After 20 minutes (1200/60), the browser redirects the InvalidateSession.html URL. We map that to a Servlet that does what it needs and explicitly invalidates the Session.
good solution, but i think this will reduce the flexibility in the ocde. Say i have 100 JSPs, than i have to write this code in each JSP. and after some time due to some reason i have to change the session expiry time of my web-application , it will be a tedious job(as i have to do changes in all the 100 jsps).
 
Frank Carver
Sheriff
Posts: 7001
6
Eclipse IDE Python C++ Debian Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
you wrote: it will be a tedious job(as i have to do changes in all the 100 jsps).
Um, isn't that what the "@include" mechanism is for? Just define this code in one place (a file called "sessiontimeout.txt" or whatever), then put <% @include file='sessiontimeout.txt' %> in each of your JSPs. Then, if you change the timeout, just change the sessiontimeout file and redeploy your application.
 
Prakash Dwivedi
Ranch Hand
Posts: 452
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I think u r right, this will make the life much easier .
 
Joseph Jegan
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Is there a server-side solution to show a session expiry page?
I think, it is not possible to use HTTPSession.isNew() to distinguish between a request that comes for the first time and a request which comes from a timed-out session. Because, for both the cases, isNew() will return true.
[ January 08, 2004: Message edited by: Joseph Jegan ]
[ January 08, 2004: Message edited by: Joseph Jegan ]
 
Ken Robinson
Ranch Hand
Posts: 101
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
When you get the Session from the HttpServletRequest object, use the getSession(false) method. If there is no Session present (not yet created or timed out), null will be returned instead of a new Session. The default is true, which creates a Session if one does not exist.

[ January 08, 2004: Message edited by: Kenneth Robinson ]
 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Kenneth Robinson:
In all of our pages we have the tag <meta http-equiv="Refresh" content="1200; URL=./InvalidateSession.html"> in the <head> section of the page. After 20 minutes (1200/60), the browser redirects the InvalidateSession.html URL. We map that to a Servlet that does what it needs and explicitly invalidates the Session.


What if the user opens two windows? And then working only one window, the 2nd one will refresh to InvalidateSession.html after some time. This will be confusing to the user.
 
Ken Robinson
Ranch Hand
Posts: 101
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
That is something I have not had to work with, but I could see it being an issue.
Modify the invalidation servlet to check the getLastAccessedTime() return value. If it is over say 30 minutes (make it an <init-param> ), then do the invalidation. Otherwise, some other Window has hit the Session so leave it be. You can either forward to an idle screen or back to the screen that initiated the invalidation request. Also, since multiple windows are now a consideration, when checking the session in the invalidation logic, use the HttpServletRequest.getSession(false) method to ensure a new Session is not created if a previous window using that Session has already invalidated it.
[ January 16, 2004: Message edited by: Kenneth Robinson ]
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic