This week's book giveaway is in the OCAJP 8 forum. We're giving away four copies of OCA Java SE 8 Programmer I Study Guide and have Edward Finegan & Robert Liguori on-line! See this thread for details.
Is there any way to catch a session timeout and do something graceful, like restore the login page or something? When a session in my web app times out, all sorts of attributes (well, a few anyway) are no longer there, although looking at the browser, the page still looks fine. So, you click on something, and the exceptions start flying.
Can this be caught? I've already checked out the Listener stuff, but it appears that when the sessionDestroyed method is called, the session is already dead. Besides, you can't "push" stuff, anyway; yet, there are a lot of sites out there that seem to have figured this out and handle this gracefully.
Originally posted by Allen Williams: I've already checked out the Listener stuff, but it appears that when the sessionDestroyed method is called, the session is already dead.
In Servlets 2.4, the listener method is invoked just prior to session destruction.
Joined: Sep 04, 2006
Thank you, Bear.
I'm not necessarily interested in saving state across the timeout, although that thought is intriguing, and I'll check out the link you posted.
Just trying to detect the fact the user clicked on something and the session and all the attributes it held was no longer there. In order to do this, are you saying I should send back something like a cookie (the "authentication token") with a timeout approximately what the session timeout is, and then check that at each click?
I thought about that approach specifically, with a cookie that had a 30 min timeout, but was thinking I'd have to make sure in every web page associated with a session make sure the cookie was checked. Is this what you mean?
Thanks yet again! Allen
Joined: Sep 04, 2006
Also, based on your last comment, does that mean the sessionDestroyed() can have a dispatcher in it that can send the browser to a login or timeout notice page?
Originally posted by Allen Williams: Just trying to detect the fact the user clicked on something and the session and all the attributes it held was no longer there.
That's easy. When the user logs in, you set an "authentication token" or other element on the session that indicates "user is logged in". Then put a servlet filter in place that is invoked on each request in the app with the exception of the login page and any other pages that you want to be exempt from authentication.
When the filter detects that the token is present, it let's the request go along its merry way. if not, it redirects or forwards to the login page. [ October 01, 2006: Message edited by: Bear Bibeault ]