Session Management Problem

Hello,

I am facing some problem in maintaining the session for each and every user who logs in to the application.

Problem Context:

I have to maintain the session for each user, the session for each user created in database (in Milliseconds). User interaction with the application is exceeds the session time I have to invalidate() his session and I have to take him back to login screen.

getUserSession(userID) = will return me the session value in milliseconds for user based onn his userID.

//I am setting maximum time to session.
Session.setMaxInactiveInterval(getUserSession(userID));

if (session.getMaxInactiveInterval() >= getUserSession(userID)) {
// Go to home page (login page)
res.sendRedirect(m_objURLStartPoint.toString());
Log.ln(m_objURLStartPoint.toString());
return true;
}
}

if (session.getMaxInactiveInterval() >= getUserSession(userID)) condition is working I suppose.

Any idea how can I compare the session.

Thanks!
Sirish

Session.setMaxInactiveInterval() would do that for you. Just set the timeout here and it will invalidate the session incase the timeout has expired. Or is it I am completely off the hook?

Hi Anupam,

Thanks for your reply!

Session.setMaxInactiveInterval() is not helping me at all. I am deploying my application on WebSphere 5.X. But Container is not invalidating the sesssion after MaxInactiveInterval is over.
Do you have any other way to kill the user session?

I am trying something like..
if(System.getTimeInMilliSeconds()>= userloggedinTime+UserTime){
session.invalidate();
}
But still same problme, not able to Kill the Session.



Thanks!
Sirish

There are couple of ways you can try out too

In your web.xml file you can set a parameter

<session-config>
<session-timeout>your requirement</session-timeout>
</session-config>

If you have servlet in your architecture

Servlet's init parameter can be set to

<init-param>
<param-name>timeout</param-name>
<param-value>your requirement</param-value>
</init-param>

On a note all times that you set here is based of minutes.

Satish,

Thanks for your reply!

Web.xml is not suitable solution for me because of I need to maitain different session interval based on the user role. some user will have only 10 min session some user will have 1 hr like that. I am maintaining session time in the Database.

Thanks,
Sirish

Originally posted by Sirish Kumar GongalReddy:
But still same problme, not able to Kill the Session.

Hi Sirish, how do you determine that the container has not killed the session?
If you do request.getSession(), and if the older session has expired, then the container will create a new session.
Try request.getSession(false) and check whether the returned session object is null. If so, that means the session is invalidated.

Have you tried setting max age ?

some user will have only 10 min session some user will have 1 hr like that.

this might not fit your need but am still putting it-

Try controlling the routing from the JSP end.
AM assuming the user-role is in the session of the JSP.
JSTL has a tag that give you session information.

For example in your JSP

<%@ taglib uri="http://java.sun.com/jstl/core" prefix="javaranch" %>
..,
..,
......
${pageContext.session.creationTime} returns the value of when the session was created, in the JSP write a small scriplet that will redirect it to login page when a time has reached.

John,

Thanks for your reply!

I am not using cookies at all. Just I need to invalidate user session if user exceeds his assigned time.

All my solutions are not working and not able to kill the session and I have tried by getting System time too.

Just I need a condition check something like.....

assignedTime come from database.
How to caluculate userAccessedTime?
I am trying something like....
session.getLastAccessedTime()+ userAssignedTime = userAccessedTime (I feel it's not right way....Any idea great help)


if(userAccessedTime > assignedTime){
session.invalidate();
rd.sendRedirct("loginpage");
}

Any idea? Thanks!

Regards,
Sirish

Is it because the value you are passing to setMaxInactiveInterval() is in milliseconds but it expects it in SECONDS. So it will take longer to expire. Try converting your milliseconds to seconds before passing to the setMaxInactiveInterval() method.

I am not using cookies at all

Once you start a session it can either be maintained through a cookie or via URL rewriting. The inactive interval and the max age values should help or the DD should be able to assist you in this regard. Dont try to calculate the time yourself since it can be confusing and harder to maintain. Also the next time you ask for a session make sure you dont request the container to create a new session. Check the JSessionID headers to be sure that the sessions are the same. Another way to check if your session was killed is to bind objects to your session and check if they get unbound when they are invalidated. Then there is also the HttpSession listener. You could make use of that as well.

Thanks Guys for your continious help!!

Finally I have close my issue and I caluculated session time my self.

On the other hand I have another problem is that,

1) If the user is still keep on intaracting with the server irrespective of his assigned time and he enter some data on the page (page is an Applet) the movement when he pressed SAVE button (Applet will call Servlet)his session will be invalidate because he already exceeds his assigned time.

But what I would like to do is,

(1) I need to save his data even though if he exceeds his time and then session has to be invalidated.

Any best ideas to implement this?

Many Thanks,
Sirish

Any best ideas to implement this?

In the servlet where he saves his stuff process his info and then invalidate the session.

John,

The servlet will persist users data in the Database.

The process is like..

1) User will log on to the application. (His session started..now)

2) He want to edit some data so he will select the wanted page and then the page will download to local browser. (In my case the page is an Applet)

Generally once the Applet will download to local brower there is now connection will maintained between browser and server until user perform some external task like save,edit,delete....)

3) he edited some of his data by sitting couple of hours the movement he prss SAVE system will invalidate his session becuase his max session is 1 hr. But I want to save his work and then I want to invalidate his session even though he exceeds his session or I would like to prompt the user with warning before 10 min of his session expiry time.

How can I communicate with Applet from servlet to prompt the user or vice versa?

Any idea will be great help!

Many thanks,
Sirish

Hi Sirish,

while setting the applet to the browser, you may include
the session timeout value as a parameter in the applet tag.
Then the applet can use this in its init method to start
a timer which may expire just 10 minutes(as per your requirement)
before the session timeout value. You could then trigger
a save request to the servlet from the browser, before its
session expires.

Hope this works for you.

Pravin

Thanks Pravin!

Let me try with your solution.

Many thanks,
Sirish