• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

How to prompt user that session is going to time out ?

 
Harpreet Hira
Ranch Hand
Posts: 72
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am working on an application for which the timout duration should be 20 minutes. However, after 15 minutes I would like to prompt user to take some action, else session will expire in 5 minutes.

I can implement this by setting the session timeout duration as 15 minutes and by implementing HttpSessionListener's sessionDestroyed() method, which gives a notification that session is about to be invalidated. When sessionDestroyed() method is invoked I will programatically increase the timeout duration by 5 minutes, using setMaxInactiveInterval(int).

The problem here is how can I show the prompt to user after 15 minutes?
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64716
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You can't really. How do you know what's in the user browser? They might have clicked away from any of your pages long ago.
 
Saritha Penumudi
Ranch Hand
Posts: 148
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
One solution possible is if your application has header or footer that is constant to all pages and one of these pages has asynchronous calls (using XmlHttpRequest) to your servlet that would say if timer should be started. The frequency of these asynchronous posts could depend on your application.

If startTimer() of your timer servlet return true, then you can call a javascript function that would display timer to the user on the header/footer of the application.

This solution purely depends on javascript. I am not sure if your application has any limitations on using javascript.

If you go by this option then also check browser compatibity issues.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64716
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The act of making any request, including an Ajax request, resets the session timer and so is useless for warning about an impending session timeout, though it will prevent said timeout.
[ May 10, 2006: Message edited by: Bear Bibeault ]
 
Charles Lyons
Author
Ranch Hand
Posts: 836
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
To be honest, the best thing I can see working is a client-side script (JavaScript) where you set a JavaScript countdown from 15 minutes from the last time the page was loaded/refreshed. Then you can present an alert dialog box or similar when the countdown expires (or even change your page's content dynamically).

This is only any good if the user still has your Web page open (and haven't gone to another site within the 15 minutes); any refresh or navigation to another page will reset the session which is what you would expect anyway.

I haven't used JavaScript in a website in a long time (years in fact) because I got frustrated by different browser compatibilities and also the fact that many of my users had disabled client-side scripting! If this is the case, you won't actually be able to do much at all to solve your problem! So, I'm quite rusty on my JavaScript, and since this is certainly not a server-side issue, might I suggest asking JavaScript questions in the HTML and JavaScript forum?

Good luck.
 
Saritha Penumudi
Ranch Hand
Posts: 148
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You are right Bear Bibeault.
I totally missed inactive time and will get reset when there is another request.

Thank you for pointing it out.

It has been quite a while I worked on Servlets. I was browsing through the API and do you see any drawbacks with this approach.

From sessionDestroyed(HttpSessionEvent se), using HttpSessionEvent get HttpSession and through HttpSession get HttpServletContext and through HttpServletContext get RequestDispatcher and forward to your timer page.

with this approach ofcourse user will taken to different page from where he can relogin if session timeout or click on back button and send any request.

sessionDestroyed should be coded so that the request is not forward for time 5 mins session timeout.
[ May 10, 2006: Message edited by: Saritha ventrapragada ]
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64716
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The OP didn't say why he wanted to do this in the first place.

I suspect it may be, as we see here every now and again, that he's wanting to use the session timeout as his personal timer. Bad idea.

The session timeout is not there to serve as a timer for your application. It's there to prevent server-side resource leaks.

If you need a server-side timer, there are Java classes that provide that service. If you need a client-side timer, then there are JavaScript solutions as Charles pointed out.
 
Stan James
(instanceof Sidekick)
Ranch Hand
Posts: 8791
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I use a couple applications - our corporate time sheet and my bank come to mind - that use the Javascript timer on the browser trick. They pop a little window that says "You're about to time out" with buttons to resume or log out. Of course that little window needs its own timer ...
 
Harpreet Hira
Ranch Hand
Posts: 72
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks guys. This was very helpful.
It seems that I need to put a timer in javascript(ofcourse, with it's limitations) for alerting the user and use sessionDestroyed() to clean resources.
 
Saritha Penumudi
Ranch Hand
Posts: 148
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bear Bibeault,

I am just trying to understand the concept. I still don't understand why we should not use sessionDestroyed for something like this.
Is purpose of this listener is to capture when session timesout and do what is required?

In this particular scenario it is timer. If not timer then other than cleaning reasources what else can be done?

If we have a timer on the client side aren't we maintaining session times in two places?

If we want to increase session timeout later don't we have to do in two places?

What are the major disadvatages in going this route.
I am just trying to understand so that I don't attempt/suggest this mistake later.
[ May 23, 2006: Message edited by: Saritha ventrapragada ]
 
Harpreet Hira
Ranch Hand
Posts: 72
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If we have a timer on the client side aren't we maintaining session times in two places?

If we want to increase session timeout later don't we have to do in two places?

What are the major disadvatages in going this route.


Unfortunately there are NOT many options.
However, you can easily overcome the setting of timeout at 2 places. Instead of hardcoding the timeout value in JSP you can dynamically set the value using session.getMaxInactiveInterval(). This way the value set in web.xml will always be set in the client side.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64716
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Saritha ventrapragada:

I am just trying to understand the concept.


That's cool. What part of my reply did not address this?


I still don't understand why we should not use sessionDestroyed for something like this.


That depends what "this" is. As I said, your intention is not entirely clear.

If it's to serve as a timer, then it's not a good thing to do. It's not intended to be used as a timer, and it makes a very bad one.

You could try to bang in a nail with a coffee pot, but neither you nor the coffee pot will be happy with the result. Using tools for purposes for which they were not intended frequently results in poor outcomes.


If not timer then other than cleaning reasources what else can be done?


Again, that's like asking: aside from banging in a nail, what good is a hammer?

The listener exists to help you reclaim resources, nothing more.


If we have a timer on the client side aren't we maintaining session times in two places?


Why would they have anything to do with each other? Again, the session timeout is not to be used as an application timer. And why would you want a client-side session timout?

If it's to warn the user that the session is about to expire, that's actually a difficult thing to do since you don't really know when the session will time out. It's not precise.
[ May 23, 2006: Message edited by: Bear Bibeault ]
 
Saritha Penumudi
Ranch Hand
Posts: 148
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I really appreciate your reply.
I agree that my question is too abstract and does not point to a specific scenario.
I was just excepting something like a scenario where something like this was attempted which caused a major disastor.

Thank you for your patience and for answering all my questions.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic