It's not a secret anymore!*
The moose likes Servlets and the fly likes How to prompt user that session is going to time out ? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "How to prompt user that session is going to time out ?" Watch "How to prompt user that session is going to time out ?" New topic
Author

How to prompt user that session is going to time out ?

Harpreet Hira
Ranch Hand

Joined: Sep 27, 2001
Posts: 72
I am working on an application for which the timout duration should be 20 minutes. However, after 15 minutes I would like to prompt user to take some action, else session will expire in 5 minutes.

I can implement this by setting the session timeout duration as 15 minutes and by implementing HttpSessionListener's sessionDestroyed() method, which gives a notification that session is about to be invalidated. When sessionDestroyed() method is invoked I will programatically increase the timeout duration by 5 minutes, using setMaxInactiveInterval(int).

The problem here is how can I show the prompt to user after 15 minutes?
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60765
    
  65

You can't really. How do you know what's in the user browser? They might have clicked away from any of your pages long ago.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Saritha Penumudi
Ranch Hand

Joined: Aug 18, 2003
Posts: 147
One solution possible is if your application has header or footer that is constant to all pages and one of these pages has asynchronous calls (using XmlHttpRequest) to your servlet that would say if timer should be started. The frequency of these asynchronous posts could depend on your application.

If startTimer() of your timer servlet return true, then you can call a javascript function that would display timer to the user on the header/footer of the application.

This solution purely depends on javascript. I am not sure if your application has any limitations on using javascript.

If you go by this option then also check browser compatibity issues.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60765
    
  65

The act of making any request, including an Ajax request, resets the session timer and so is useless for warning about an impending session timeout, though it will prevent said timeout.
[ May 10, 2006: Message edited by: Bear Bibeault ]
Charles Lyons
Author
Ranch Hand

Joined: Mar 27, 2003
Posts: 836
To be honest, the best thing I can see working is a client-side script (JavaScript) where you set a JavaScript countdown from 15 minutes from the last time the page was loaded/refreshed. Then you can present an alert dialog box or similar when the countdown expires (or even change your page's content dynamically).

This is only any good if the user still has your Web page open (and haven't gone to another site within the 15 minutes); any refresh or navigation to another page will reset the session which is what you would expect anyway.

I haven't used JavaScript in a website in a long time (years in fact) because I got frustrated by different browser compatibilities and also the fact that many of my users had disabled client-side scripting! If this is the case, you won't actually be able to do much at all to solve your problem! So, I'm quite rusty on my JavaScript, and since this is certainly not a server-side issue, might I suggest asking JavaScript questions in the HTML and JavaScript forum?

Good luck.


Charles Lyons (SCJP 1.4, April 2003; SCJP 5, Dec 2006; SCWCD 1.4b, April 2004)
Author of OCEJWCD Study Companion for Oracle Exam 1Z0-899 (ISBN 0955160340 / Amazon Amazon UK )
Saritha Penumudi
Ranch Hand

Joined: Aug 18, 2003
Posts: 147
You are right Bear Bibeault.
I totally missed inactive time and will get reset when there is another request.

Thank you for pointing it out.

It has been quite a while I worked on Servlets. I was browsing through the API and do you see any drawbacks with this approach.

From sessionDestroyed(HttpSessionEvent se), using HttpSessionEvent get HttpSession and through HttpSession get HttpServletContext and through HttpServletContext get RequestDispatcher and forward to your timer page.

with this approach ofcourse user will taken to different page from where he can relogin if session timeout or click on back button and send any request.

sessionDestroyed should be coded so that the request is not forward for time 5 mins session timeout.
[ May 10, 2006: Message edited by: Saritha ventrapragada ]
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60765
    
  65

The OP didn't say why he wanted to do this in the first place.

I suspect it may be, as we see here every now and again, that he's wanting to use the session timeout as his personal timer. Bad idea.

The session timeout is not there to serve as a timer for your application. It's there to prevent server-side resource leaks.

If you need a server-side timer, there are Java classes that provide that service. If you need a client-side timer, then there are JavaScript solutions as Charles pointed out.
Stan James
(instanceof Sidekick)
Ranch Hand

Joined: Jan 29, 2003
Posts: 8791
I use a couple applications - our corporate time sheet and my bank come to mind - that use the Javascript timer on the browser trick. They pop a little window that says "You're about to time out" with buttons to resume or log out. Of course that little window needs its own timer ...


A good question is never answered. It is not a bolt to be tightened into place but a seed to be planted and to bear more seed toward the hope of greening the landscape of the idea. John Ciardi
Harpreet Hira
Ranch Hand

Joined: Sep 27, 2001
Posts: 72
Thanks guys. This was very helpful.
It seems that I need to put a timer in javascript(ofcourse, with it's limitations) for alerting the user and use sessionDestroyed() to clean resources.
Saritha Penumudi
Ranch Hand

Joined: Aug 18, 2003
Posts: 147
Bear Bibeault,

I am just trying to understand the concept. I still don't understand why we should not use sessionDestroyed for something like this.
Is purpose of this listener is to capture when session timesout and do what is required?

In this particular scenario it is timer. If not timer then other than cleaning reasources what else can be done?

If we have a timer on the client side aren't we maintaining session times in two places?

If we want to increase session timeout later don't we have to do in two places?

What are the major disadvatages in going this route.
I am just trying to understand so that I don't attempt/suggest this mistake later.
[ May 23, 2006: Message edited by: Saritha ventrapragada ]
Harpreet Hira
Ranch Hand

Joined: Sep 27, 2001
Posts: 72
If we have a timer on the client side aren't we maintaining session times in two places?

If we want to increase session timeout later don't we have to do in two places?

What are the major disadvatages in going this route.


Unfortunately there are NOT many options.
However, you can easily overcome the setting of timeout at 2 places. Instead of hardcoding the timeout value in JSP you can dynamically set the value using session.getMaxInactiveInterval(). This way the value set in web.xml will always be set in the client side.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60765
    
  65

Originally posted by Saritha ventrapragada:

I am just trying to understand the concept.


That's cool. What part of my reply did not address this?


I still don't understand why we should not use sessionDestroyed for something like this.


That depends what "this" is. As I said, your intention is not entirely clear.

If it's to serve as a timer, then it's not a good thing to do. It's not intended to be used as a timer, and it makes a very bad one.

You could try to bang in a nail with a coffee pot, but neither you nor the coffee pot will be happy with the result. Using tools for purposes for which they were not intended frequently results in poor outcomes.


If not timer then other than cleaning reasources what else can be done?


Again, that's like asking: aside from banging in a nail, what good is a hammer?

The listener exists to help you reclaim resources, nothing more.


If we have a timer on the client side aren't we maintaining session times in two places?


Why would they have anything to do with each other? Again, the session timeout is not to be used as an application timer. And why would you want a client-side session timout?

If it's to warn the user that the session is about to expire, that's actually a difficult thing to do since you don't really know when the session will time out. It's not precise.
[ May 23, 2006: Message edited by: Bear Bibeault ]
Saritha Penumudi
Ranch Hand

Joined: Aug 18, 2003
Posts: 147
I really appreciate your reply.
I agree that my question is too abstract and does not point to a specific scenario.
I was just excepting something like a scenario where something like this was attempted which caused a major disastor.

Thank you for your patience and for answering all my questions.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: How to prompt user that session is going to time out ?
 
Similar Threads
Forcing Relogin
Session time-out with AJAX
Release resources
Session Management in JSP
Session Timeout handeling