*
The moose likes Servlets and the fly likes Session Expiry Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Session Expiry" Watch "Session Expiry" New topic
Author

Session Expiry

Joseph Jegan
Greenhorn

Joined: Sep 06, 2000
Posts: 10
Can someone tell me how to determine a session is expired?
I am currently using HTTPServletRequest.isRequestedSessionIdValid() method to determine if the sesion has expired. But, i am not getting a onsistent result all the time. I ma using ATG Dynamo Application Server.

Thanks in Advance
Ken Robinson
Ranch Hand

Joined: Dec 23, 2003
Posts: 101
I do not believe there is a way to determine if the Session has expired since when it does expire, it is removed and invalidated.
You do have two options thought. First, create a class that implements HttpSessionListener, specifically the sessionDestroyed method, and register it in web.xml as a <listener>. This method will be called for each Session that is destroyed and allow you to know when a Session is about to be destroyed.
Second, you can just call HttpServletRequest.getSession as you always do and check the HttpServletRequest.isNew() method to see if that Session was just created. If it is new and you don't expect it to be, the previous Session has been destroyed.
Hope this helps.
Ray Stojonic
Ranch Hand

Joined: Aug 08, 2003
Posts: 326

This method will be called for each Session that is destroyed and allow you to know when a Session is about to be destroyed.

The listener won't be notified until after the Session has been destroyed. Not a big difference if all you want is to be notified when it is destroyed, but could be important if you wanted to get something from the session before it was destroyed.
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12756
    
    5
The listener won't be notified until after the Session has been destroyed. Not a big difference if all you want is to be notified when it is destroyed, but could be important if you wanted to get something from the session before it was destroyed.

Very true - the solution is to make a class that holds the data you need to keep when the session is destroyed and have that class implement the HttpSessionBindingListener interface. The object will be notified whenever it is being removed from a session, either when your program invalidates it or when the servlet engine destroys the session.
Bill
Joseph Jegan
Greenhorn

Joined: Sep 06, 2000
Posts: 10
All,
Thanks for answering my question.
Let me give more details on my requirements. In our web.xml, we have configured session-timeout to a value of 15 minutes. So, our webcontainer will automatically removes the session if the last accessed time goes more than 15 minutes. Now, we need to show a session expiry page which says "Your Session has Expired" whenever a request belonging to the expired session hits the webcontainer.
So, what logic should i use to determine a request belongs to a expired sesion or not.
Thanks
Joseph
Ken Robinson
Ranch Hand

Joined: Dec 23, 2003
Posts: 101
In all of our pages we have the tag <meta http-equiv="Refresh" content="1200; URL=./InvalidateSession.html"> in the <head> section of the page. After 20 minutes (1200/60), the browser redirects the InvalidateSession.html URL. We map that to a Servlet that does what it needs and explicitly invalidates the Session.
By doing it this way, the user knows exactly when they have timed out instead of waiting until their next page request. We usually display the 'timeout' message on the login screen so they know that's what they have to do.
Otherwise, if you want to check for it on the server side, get the session and get the isNew() method. If it's new, it's either the first time the user has hit the site or their previous session has been invalidated.
Frank Carver
Sheriff

Joined: Jan 07, 1999
Posts: 6920
In all of our pages we have the tag <meta http-equiv="Refresh" content="1200; URL=./InvalidateSession.html"> in the <head> section of the page. After 20 minutes (1200/60), the browser redirects the InvalidateSession.html URL. We map that to a Servlet that does what it needs and explicitly invalidates the Session.
Excellent idea! I needed to do something like this a few months ago and I wish I'd thought of this simple solution. D'Oh!


Read about me at frankcarver.me ~ Raspberry Alpha Omega ~ Frank's Punchbarrel Blog
Ken Robinson
Ranch Hand

Joined: Dec 23, 2003
Posts: 101
Originally posted by Frank Carver:
Excellent idea! I needed to do something like this a few months ago and I wish I'd thought of this simple solution. D'Oh!

I'd like to take credit for it, but I believe I read about it somewhere else (can't remember) and had the same 'Doh' response.
Prakash Dwivedi
Ranch Hand

Joined: Sep 28, 2002
Posts: 452
In all of our pages we have the tag <meta http-equiv="Refresh" content="1200; URL=./InvalidateSession.html"> in the <head> section of the page. After 20 minutes (1200/60), the browser redirects the InvalidateSession.html URL. We map that to a Servlet that does what it needs and explicitly invalidates the Session.
good solution, but i think this will reduce the flexibility in the ocde. Say i have 100 JSPs, than i have to write this code in each JSP. and after some time due to some reason i have to change the session expiry time of my web-application , it will be a tedious job(as i have to do changes in all the 100 jsps).


Prakash Dwivedi (SCJP2, SCWCD, SCBCD)
"Failure is not when you fall down, Its only when you don't get up again"
Frank Carver
Sheriff

Joined: Jan 07, 1999
Posts: 6920
you wrote: it will be a tedious job(as i have to do changes in all the 100 jsps).
Um, isn't that what the "@include" mechanism is for? Just define this code in one place (a file called "sessiontimeout.txt" or whatever), then put <% @include file='sessiontimeout.txt' %> in each of your JSPs. Then, if you change the timeout, just change the sessiontimeout file and redeploy your application.
Prakash Dwivedi
Ranch Hand

Joined: Sep 28, 2002
Posts: 452
I think u r right, this will make the life much easier .
Joseph Jegan
Greenhorn

Joined: Sep 06, 2000
Posts: 10
Is there a server-side solution to show a session expiry page?
I think, it is not possible to use HTTPSession.isNew() to distinguish between a request that comes for the first time and a request which comes from a timed-out session. Because, for both the cases, isNew() will return true.
[ January 08, 2004: Message edited by: Joseph Jegan ]
[ January 08, 2004: Message edited by: Joseph Jegan ]
Ken Robinson
Ranch Hand

Joined: Dec 23, 2003
Posts: 101
When you get the Session from the HttpServletRequest object, use the getSession(false) method. If there is no Session present (not yet created or timed out), null will be returned instead of a new Session. The default is true, which creates a Session if one does not exist.

[ January 08, 2004: Message edited by: Kenneth Robinson ]
Antony Hoon
Greenhorn

Joined: Jan 16, 2004
Posts: 1
Originally posted by Kenneth Robinson:
In all of our pages we have the tag <meta http-equiv="Refresh" content="1200; URL=./InvalidateSession.html"> in the <head> section of the page. After 20 minutes (1200/60), the browser redirects the InvalidateSession.html URL. We map that to a Servlet that does what it needs and explicitly invalidates the Session.

What if the user opens two windows? And then working only one window, the 2nd one will refresh to InvalidateSession.html after some time. This will be confusing to the user.
Ken Robinson
Ranch Hand

Joined: Dec 23, 2003
Posts: 101
That is something I have not had to work with, but I could see it being an issue.
Modify the invalidation servlet to check the getLastAccessedTime() return value. If it is over say 30 minutes (make it an <init-param> ), then do the invalidation. Otherwise, some other Window has hit the Session so leave it be. You can either forward to an idle screen or back to the screen that initiated the invalidation request. Also, since multiple windows are now a consideration, when checking the session in the invalidation logic, use the HttpServletRequest.getSession(false) method to ensure a new Session is not created if a previous window using that Session has already invalidated it.
[ January 16, 2004: Message edited by: Kenneth Robinson ]
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: Session Expiry
 
Similar Threads
problem using getSession(boolean create)
Session time out error
Expired session gives illegal state exception
ViewExpiredException
Timeout listener