aspose file tools*
The moose likes JSP and the fly likes Gracefully catching the session timeout Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Java 8 in Action this week in the Java 8 forum!
JavaRanch » Java Forums » Java » JSP
Bookmark "Gracefully catching the session timeout" Watch "Gracefully catching the session timeout" New topic
Author

Gracefully catching the session timeout

Allen Williams
Ranch Hand

Joined: Sep 04, 2006
Posts: 136
Is there any way to catch a session timeout and do something graceful, like restore the login page or something? When a session in my web app times out, all sorts of attributes (well, a few anyway) are no longer there, although looking at the browser, the page still looks fine. So, you click on something, and the exceptions start flying.

Can this be caught? I've already checked out the Listener stuff, but it appears that when the sessionDestroyed method is called, the session is already dead. Besides, you can't "push" stuff, anyway; yet, there are a lot of sites out there that seem to have figured this out and handle this gracefully.

TIA.


-------<br />Thanks & regards,<br />anw
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60077
    
  65

I'm not sure what exactly you are after.

It's a simple matter to write a servlet filter that detects when an authentication token is missing from the session and to redirect or foward to a login page.

Or are you trying to retain state across the session timout?


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60077
    
  65

If it's the latter you are seeking, this topic describes a technique I've used to make a timout as unobtrusive to the user as possible.

Though it started as an Ajax question, the technique is broadly applicable.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60077
    
  65

And...

Originally posted by Allen Williams:
I've already checked out the Listener stuff, but it appears that when the sessionDestroyed method is called, the session is already dead.


In Servlets 2.4, the listener method is invoked just prior to session destruction.
Allen Williams
Ranch Hand

Joined: Sep 04, 2006
Posts: 136
Thank you, Bear.

I'm not necessarily interested in saving state across the timeout, although that thought is intriguing, and I'll check out the link you posted.

Just trying to detect the fact the user clicked on something and the session and all the attributes it held was no longer there. In order to do this, are you saying I should send back something like a cookie (the "authentication token") with a timeout approximately what the session timeout is, and then check that at each click?

I thought about that approach specifically, with a cookie that had a 30 min timeout, but was thinking I'd have to make sure in every web page associated with a session make sure the cookie was checked. Is this what you mean?

Thanks yet again!
Allen
Allen Williams
Ranch Hand

Joined: Sep 04, 2006
Posts: 136
Also, based on your last comment, does that mean the sessionDestroyed() can have a dispatcher in it that can send the browser to a login or timeout notice page?

TIA
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60077
    
  65

Originally posted by Allen Williams:
Just trying to detect the fact the user clicked on something and the session and all the attributes it held was no longer there.


That's easy. When the user logs in, you set an "authentication token" or other element on the session that indicates "user is logged in". Then put a servlet filter in place that is invoked on each request in the app with the exception of the login page and any other pages that you want to be exempt from authentication.

When the filter detects that the token is present, it let's the request go along its merry way. if not, it redirects or forwards to the login page.
[ October 01, 2006: Message edited by: Bear Bibeault ]
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60077
    
  65

Originally posted by Allen Williams:
Also, based on your last comment, does that mean the sessionDestroyed() can have a dispatcher in it that can send the browser to a login or timeout notice page?


No. Listeners are invoked in an asynchronous manner outside the bounds of a request/response cycle.
Allen Williams
Ranch Hand

Joined: Sep 04, 2006
Posts: 136
Excellent! I haven't come across filters, yet, but it looks like it's time to learn some more! Just based on what you said, that obviates the need to have a "checker" on each and every page.

Thanks a bunch.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60077
    
  65

Originally posted by Allen Williams:
that obviates the need to have a "checker" on each and every page.


Exactly! You are wise to realize that that's not the way to go.
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: Gracefully catching the session timeout
 
Similar Threads
System.gc()
DWR reverse ajax interfering with session-timout
server to be notified when browser closes
Redirect before Session Timeout
creating & invalidatin session