This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes Servlets and the fly likes session time out cheching using filter Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "session time out cheching using filter" Watch "session time out cheching using filter" New topic
Author

session time out cheching using filter

Amirtharaj Chinnaraj
Ranch Hand

Joined: Sep 28, 2006
Posts: 236
hi guys

i have written a filter to check wether it is new request or request is coming from a
browser having expired session

i have attached the code below



my question is it correct what i did
is that fair way to declare a static variable inside a filter
how may instances of filter will be their in the web container
is that one filter instance will be created per every single http request

this filter works fine for me

thanks
amir




Sebastian Janisch
Ranch Hand

Joined: Feb 23, 2009
Posts: 1183
For filters it's like with Servlets - One Filter instance per web.xml declaration.

As for your static variable, since you are only using it as a counter you are fine, you should synchronize the access though because instance and staticvariables are not thread-safe.


JDBCSupport - An easy to use, light-weight JDBC framework -
Ankit Garg
Sheriff

Joined: Aug 03, 2008
Posts: 9291
    
  17

From the servlet spec

Only one instance per <filter> declaration in the deployment descriptor is instantiated per Java Virtual Machine (JVM) of the container.


Also I can't understand what's the use of this filter. You are redirecting the user /test in case the session is new. Has this something to do with authorization of users?? Also if I'm the first person to pass through this filter, than sessionflag would be true, and firstRequest will be 0, so first request will be incremented and I would get a blank page as neither will I be redirected nor will be my request forwarded into the filter chain...


SCJP 6 | SCWCD 5 | Javaranch SCJP FAQ | SCWCD Links
Sebastian Janisch
Ranch Hand

Joined: Feb 23, 2009
Posts: 1183
Ankit Garg wrote:Also if I'm the first person to pass through this filter, than sessionflag would be true, and firstRequest will be 0, so first request will be incremented and I would get a blank page as neither will I be redirected nor will be my request forwarded into the filter chain...


That's a good point I didn't even see that. Leaving along that the counter variable doesn't even do anything, the if is not neccessary because you already check for isNew().
Amirtharaj Chinnaraj
Ranch Hand

Joined: Sep 28, 2006
Posts: 236
yes Ankit Garg

you are right .this filter will redirect to the login page .if the session expired
i made a mistake for the very first request it does nothing .thanks for correcting me

if i add the line after line 20 it will be ok
iam i right

looking for your replies

thanks
amir
Sebastian Janisch
Ranch Hand

Joined: Feb 23, 2009
Posts: 1183
Are you sure you don't want to use the security mechanisms already build in ?
Amirtharaj Chinnaraj
Ranch Hand

Joined: Sep 28, 2006
Posts: 236
hi Sebastian Janisch

i didnt understand what you are telling can you please explain me in detail

what security mechanisms already build in ???

thanks
amir
Sebastian Janisch
Ranch Hand

Joined: Feb 23, 2009
Posts: 1183
Well the Servlet API already provides a rich set of security functionality that do exactly what you want.
Amirtharaj Chinnaraj
Ranch Hand

Joined: Sep 28, 2006
Posts: 236
aftre adding the line

arg2.doFilter(arg0, arg1);

does my filter works properly
please let me know

actually i have taken this code from other project that is already deployed.i dont know
how for its quality one .

thanks
amir
Sebastian Janisch
Ranch Hand

Joined: Feb 23, 2009
Posts: 1183
Yes FilterChain.doFilter(request, response) invokes the next filter in the chain.
Ankit Garg
Sheriff

Joined: Aug 03, 2008
Posts: 9291
    
  17

You are only relying on the fact that a session is not new to find out that a user is authenticated or not. Suppose I reload the login JSP page twice, then my session will not be new the second time I request the login page. So then I get unauthorized access into your site (this is assuming that session attribute of page directive is set to true which is the dafault). Generally a filter like this inquires into the session (like presence of an attribute) to see if the user is authenticated as given here...
Amirtharaj Chinnaraj
Ranch Hand

Joined: Sep 28, 2006
Posts: 236
thanks Ankit Garg
sorry for delayed response..

in my application the index.jsp which is configured in the welcome file list is a login page
with out logging in no body can't access their resources .according to their previleages

my need is i have to redirect to the login page if the session expires.

this why iam checking only wether the session is new

also i have modified the filter.and My filter looks like this


please reply me if i am in wrong way
thanks
amir
Ankit Garg
Sheriff

Joined: Aug 03, 2008
Posts: 9291
    
  17

Again you didn't get my point, suppose session is enabled on your login JSP page. If I request the same page two times, I'll have a session that's not new, then if I try to enter a restricted area, your filter will let me through. Generally when a user is logged in, an attribute is set into the session to identify that the user has logged in. The authorization filters checks if there is such an attribute in the session (instead of checking if session is new or not), if the attribute is not in the session, the user has not logged in, if the attribute is present, then the filter lets the request in...
Amirtharaj Chinnaraj
Ranch Hand

Joined: Sep 28, 2006
Posts: 236
thanks Ankit Garg

along with checking wether the session is new . i have to check wether the logged in user is
present in the session in the if statement like below



thanks
amir
Ankit Garg
Sheriff

Joined: Aug 03, 2008
Posts: 9291
    
  17

I think you should replace && with ||



actually checking for a new session is not required, only checking the attribute is enough...
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: session time out cheching using filter
 
Similar Threads
Problems with EJB Local and using servlets - null pointers
Confused about Life cycle of Servlets
Handling Session Time out
phone listener is not working properly
Servlet Fileter issues