I've got an application that uses the Servlet container's session timeout facility and implements a LoginFilter to check the target for the GET/POST. If the target requires a login, the Filter checks that there is appropriate user information in the HttpSession. If not, it dispatches to the usual Login/Register page. All of this works just perfectly.
But the user experience is not ideal. When the session times out, the user is sent to the login page whenever they click on a link within the application. So they click on the "play music" link, and get the standard Login page, without any prompt or error message. When they have cookies enabled and the account setup for automatic login using the cookie, then they are taken to the main landing page. So they are scratching their heads going "why is the music not playing"
A better flow would be to display a page saying "your session has timed out, click here to re-Login"
I'm not finding what I need to do to have either the LoginFilter notice the timeout, or have another filter/function called. The LoginFilter can easily tell that the user is logged in, or not, but not why they are not logged in. Its nicely stateless, which is good in some senses, but not ideal for the user experience.
1) the LoginFilter do the remembering, then
2) dispatch the "re-login page"
3) which the user clicks on the re-login. Then
4) the Login bean can ask the LoginFilter for the old "where to" and do a dispatch again?
In the login filter you can extract the previous URL from the request by calling request.getRequestUrl();
Store the url in the request/session/cookie and then redirect the user to the login page. This way the login page knows what the previous URL was and can redirect the user to the previous url in case of successfull login.
Because one case, the user is logged-in, on a page, and goes away for a beer. Comes back, clicks on the "play music" link, and you want to display
a screen "sorry, you have been logged out due to inactivity. we care about your security, we love you, blah blah" and have him click to login
In the other case, if a user enters a URL to a link that requires being logged in, I want to say "Nice that you want to play music, but you have to log in first.
Different use case, different messages to the user.
Well, you could do something different than just pull the User instance from the session on logout. Perhaps have a flag that indocates whether he/she is logged in or not. That way, no User in the session means hard timeout.
The problem you are facing can be solved via having session which is managed by you + browser. Following steps can solve this problem:
1. Make the session never expiring
2. Store the your user object on the session object
3. Update the request time on each request but before doing that check for the last visit with the current time-stamp if the difference is greater than your timeout redirect to login page with message A
4. If the object is null redirect with message B