aspose file tools*
The moose likes Servlets and the fly likes nice way for Handling session timeouts Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "nice way for Handling session timeouts" Watch "nice way for Handling session timeouts" New topic
Author

nice way for Handling session timeouts

Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4637
    
    5

I've got an application that uses the Servlet container's session timeout facility and implements a LoginFilter to check the target for the GET/POST. If the target requires a login, the Filter checks that there is appropriate user information in the HttpSession. If not, it dispatches to the usual Login/Register page. All of this works just perfectly.

But the user experience is not ideal. When the session times out, the user is sent to the login page whenever they click on a link within the application. So they click on the "play music" link, and get the standard Login page, without any prompt or error message. When they have cookies enabled and the account setup for automatic login using the cookie, then they are taken to the main landing page. So they are scratching their heads going "why is the music not playing"

A better flow would be to display a page saying "your session has timed out, click here to re-Login"

I'm not finding what I need to do to have either the LoginFilter notice the timeout, or have another filter/function called. The LoginFilter can easily tell that the user is logged in, or not, but not why they are not logged in. Its nicely stateless, which is good in some senses, but not ideal for the user experience.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60053
    
  65

Remember the target URL and parameters in the session (or in hidden parameters), and after a successful login, redirect to that URL.

The user is interrupted in order to log in, but then gets sent to where they originally intended to go.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4637
    
    5

Just to make sure I am understanding your answer:


Are you suggesting that

1) the LoginFilter do the remembering, then
2) dispatch the "re-login page"
3) which the user clicks on the re-login. Then
4) the Login bean can ask the LoginFilter for the old "where to" and do a dispatch again?
Eric Keen
Greenhorn

Joined: Jan 10, 2010
Posts: 4
In the login filter you can extract the previous URL from the request by calling request.getRequestUrl();
Store the url in the request/session/cookie and then redirect the user to the login page. This way the login page knows what the previous URL was and can redirect the user to the previous url in case of successfull login.
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4637
    
    5

Well, I'm making progress on capturing the requested page (one that requires login) in the LoginFilter, and when the User is not logged in, I can direct them to the login page.

But I'm not seeing any way to detect why the user is not logged in. The LoginFilter sees the request, looks for the existance of the user in the Session, and sees none.

There is no difference between when a user is logged off because they clicked on the "logout" link, session invalidated, etc. and when a timeout happens.

So I'm still not at the initial question: how do I detect timeouts?

Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60053
    
  65

Oh, I missed that nuance.

Why do you care?

What different semantics do you want to apply when the user logs off versus just times out?
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4637
    
    5

Because one case, the user is logged-in, on a page, and goes away for a beer. Comes back, clicks on the "play music" link, and you want to display
a screen "sorry, you have been logged out due to inactivity. we care about your security, we love you, blah blah" and have him click to login

In the other case, if a user enters a URL to a link that requires being logged in, I want to say "Nice that you want to play music, but you have to log in first.

Different use case, different messages to the user.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60053
    
  65

Well, you could do something different than just pull the User instance from the session on logout. Perhaps have a flag that indocates whether he/she is logged in or not. That way, no User in the session means hard timeout.
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4637
    
    5

I was hoping, but could not find, that the container would call some listener when it does the timeout.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60053
    
  65

Sure, there are session listeners. Problem is that they execute asynchronously, independent of request.
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4637
    
    5

Bear Bibeault wrote:Sure, there are session listeners. Problem is that they execute asynchronously, independent of request.


I'm not seeing that as a problem, there is no request when the session times out. There is a request later, which needs to test if there was a timeout.

I'll ignore the possible race condition of the timeout happening as the user does their next request.
Eric Keen
Greenhorn

Joined: Jan 10, 2010
Posts: 4
You can store whether the user is accessing the page the first time or if his session is timed by storing the info in a cookie.

E.g.

If (user not logged in + cookie exists){
means user got logged out in between his work
else{
user accessing the page first time
}

above is simple logic which can be extended....
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4637
    
    5

Bear Bibeault wrote:Perhaps have a flag that indocates whether he/she is logged in or not. That way, no User in the session means hard timeout.


I've had that for ages.

I'm missing something.

There are at least three cases here:

1) the user logs out with a suitable command, and then wants to play music
2) the session times out, then the user wants to play music
3) the user comes in from the blue, and wants to play music.

What I'm looking for is a way to have something, the container, etc. tell me that it did the logout.

The other two cases are straight forward.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60053
    
  65

Set a cookie? A flag in the DB?

This isn't a common scenario. Usually logged out just means logged out. Few apps care why.
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4637
    
    5

I've got all those things.

I don't really care that no one else cares. I care.

I'm trying to get a HttpSessionListener working, it may help
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60053
    
  65

I didn't say you shouldn't care. I pointed that out so that you'd know why no one just popped in with "Here's how I handle that...".
subodh gupta
Ranch Hand

Joined: Jul 23, 2007
Posts: 203
Hi,

The problem you are facing can be solved via having session which is managed by you + browser. Following steps can solve this problem:

1. Make the session never expiring
2. Store the your user object on the session object
3. Update the request time on each request but before doing that check for the last visit with the current time-stamp if the difference is greater than your timeout redirect to login page with message A
4. If the object is null redirect with message B


http://subodh-gupta.blogspot.com
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: nice way for Handling session timeouts
 
Similar Threads
Struts and Filters
Filter URL mappings
Servlet Filter problems
jsp forwarding to a target frame
Session Timeout problem