How to Re-Authenticate an user to an active session
Joined: Aug 01, 2006
Following is my existing flow.
Initially the user logs in with valid usename and password. He will do some transactions in the application. Meanwhile if he is idle for more than 15 minutes, the current session will be lost and then if he wants to continue with the application he will be forcefully sent to the login page to get authenticated once again.Now we have to start the transaction freshly.
Following is my new requirement.
While doing some transaction,If the user is idle for more than 15 mins,one authentication jsp page should be displayed on the current screen asking the user to enter usename and password once aagain. If the authentication is succeeded then he should get back to the same screen previously he is doing transaction and allow the user to continue the transaction.
Here two scenarios should be considered. 1) The Re-Authentication screen should be displayed on the top of the screen in which he is idle for more than 15 mins. 2) If the Re-Authentication succeeds, then user should be allowed to continue the transaction in which he is idle previously.
I guess this would need quite a lot of changes.I do not know much about your framework ,but most of the web applications depend a lot on session to store data for particular user session.
once your session is gone , it would not be possible to get back the data stored in the session. Here is something that might help you.
+ Put a sessionListner. + As soon as the session expires you can make a backup of the datastructures which are there in the session against the session ID of the sesinon that is going to expire.Can use ServletContext as the common repository.
<===== 15 minutes after [session expires]========>
+ You get a request from the client , Bang! session expired , now check your backup with the sessionID of the session as key.You will get the backup of the datastructure that you have stored(against the expired sessionID).
+ Create a new session ,put the recovered datastructue in that and ask the user to login again.(The login process would have to be changed a bit,session would be created before the user is asked for his credentials.If login success then continue with the session or else destroy).
Now , there is one more challange , after restoring the data in the session , how will you carry on with the folw ? For this you have to modify frontcontroller (if your application has one) or something else you have to do accroding to your application.