wood burning stoves 2.0*
The moose likes Servlets and the fly likes My http session not expiring after the specified time Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "My http session not expiring after the specified time" Watch "My http session not expiring after the specified time" New topic
Author

My http session not expiring after the specified time

Kumar Raja
Ranch Hand

Joined: Mar 18, 2010
Posts: 518
    
    2

Hi,

I'm trying to understand Session-Timeout in web.xml to check, what exactly would happen if the time is elapsed. I'm not what mistake I'm doing here ,but my Http session does not seem to expire. Please advice



My web.xml is as follows


I'm trying to refresh my browser for every one min, but could not see my session expiring.


Regards
KumarRaja

David Newton
Author
Rancher

Joined: Sep 29, 2008
Posts: 12617

You might just be misunderstanding the nature of the isNew() method.
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12760
    
    5
session-timeout is NOT a guarantee, it tells the container something like this:

The next time you happen to look through the existing sessions, if the session has been inactive longer than this number of minutes, it is eligible to be destroyed.

Bill
Prabhat Shankar
Greenhorn

Joined: Oct 08, 2009
Posts: 27
Hi,

It seems to be correct ...Seesion time out should happen after 1 minute.

Otherwise you can use below method in your servlet for session time out it will help:
session.setMaxInactiveInterval(1*60);

Prabhat Shankar Consumer Court,Consumer Court India,Consumer Complaints,Complaint India, Web Value
Kumar Raja
Ranch Hand

Joined: Mar 18, 2010
Posts: 518
    
    2

David Newton wrote:You might just be misunderstanding the nature of the isNew() method.


Please advice, what does it mean? Where am I making a mistake in understanding this? In API, it is mentioned that


Returns true if the client does not yet know about the session or if the client chooses not to join the session.


From my code

I'm checking if session is new, which I thought means client is not yet aware of his session and then adding a new attribute. But some where I read that, if the session is expired, then all the assigned attributes are lost. With this knowledge, I thought of checking if the attribute is null or not. if it is null, then it means the session is expired. But apparently I lack enough knowledge here in understanding this.

As pointed above, does it matter if we set the session interval using setMaxInactiveInterval(). How is this going to be different from Session-Timeout element in web.xml.

What should be done here, to throw the user to logout page, if the session is really no longer valid.

Also, I see a flaw in my code apart from its existing errors. I'm pushing the user to logout page, with an assumption that session is no longer valid. I'm thinking that I should call session invalidate() method instead. But how do I know, when to call this method and can I call requestdispatcher on a request, where the associated session has been expired.

Doug Braidwood
Ranch Hand

Joined: Apr 04, 2010
Posts: 42
As far as I'm aware setting in web.xml (in minutes) or setting it programmatically with setMaxInactiveInterval (in seconds) is no different.

What I am a bit confused about is what you are wanting to happen.
After one minute the session will be invalid, and so the isNew() test will return true, also the session attributes will have been cleared.
With your code there, if you press f5 (refresh) after less than one minute I would expect it to log "Session is old" and if you press f5 after more than one minute the session will have timed out and you will see "Session is new" (and a new session will be created).

In my application I have also used HttpSessionListener which is triggered whenever a session is created or destroyed




SCJP, SCWCD
Kumar Raja
Ranch Hand

Joined: Mar 18, 2010
Posts: 518
    
    2


What I am a bit confused about is what you are wanting to happen.
After one minute the session will be invalid, and so the isNew() test will return true, also the session attributes will have been cleared.
With your code there, if you press f5 (refresh) after less than one minute I would expect it to log "Session is old" and if you press f5 after more than one minute the session will have timed out and you will see "Session is new" (and a new session will be created).


I think, I'm following what you are saying here and also figured out what was going wrong with my code. After 1 min, the session would have invalidated, but when I refresh, it created a new session and isNew() is true... So, I never got to a point, where it throws me to logout.jsp.

Is my understanding correct.

As I read, sessionlistener is a better approach to handle events associated with session life cycle. I will implement that and see how it works for me.

Thank you all.
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12760
    
    5
After 1 min, the session would have invalidated


That is NOT guaranteed - as I said before, you should not expect that after exactly one minute the session will be invalidated. The servlet container is allowed to invalidate the session when it gets around to it.

Bill
David Newton
Author
Rancher

Joined: Sep 29, 2008
Posts: 12617

If that servlet container is anything like me... that session's *never* going to be invalidated.
Doug Braidwood
Ranch Hand

Joined: Apr 04, 2010
Posts: 42
I'm just trying to understand the bit you are saying about being shown the logout page.

On my application you log in, a session is created and you can view your personal data. If you do not do anything, that is you do not send any further requests to the server, then after the session timeout your session will no longer be valid. In this case your personal data remains on the browser screen (the browser knows nothing about the timeout) until you click on a link or something and then a request reaches the server and the server says that the session is no longer valid.

It sounds like what you are wanting is the sort of situation like some online banks, where after a period of inactivity in the browser itself you are taken to a logout screen. If this is the case then I would have thought you need something running in the browser such as a javascript function to countdown.

Does that make sense? Invalidating the session on the web container will not affect the browser until it attempts to communicate with the container again.
Kumar Raja
Ranch Hand

Joined: Mar 18, 2010
Posts: 518
    
    2

David Newton wrote:If that servlet container is anything like me... that session's *never* going to be invalidated.


Hi David,

What I'm trying to achieve here, if there is no activity from the client, then the session should be invalidated and as Doug mentioned, may be a javascript would do that part. In some web applications, I have seen application routing you back to login page, if your session is gone. I'm trying to implement the same. How can this be achieved.

@Doug,

Thanks for suggesting me on using Javascript, if I have to check the session validity from browser. But as I mentioned, what I'm exactly looking for is, to route the user back to login page (I used logout page very loosely here). Ideally what I wanted is to route back the user to some point where he needs to start over, if he did not perform any action for a definite amount of time. I hope, I made my question clear now.
Kumar Raja
Ranch Hand

Joined: Mar 18, 2010
Posts: 518
    
    2

Or using the HttpSessionListener, container would call sessionDetroyed(), if the session is really timed out and throw him back to login page. But how do I get a RequestDispatcher in sessionDestroyed() method.All I get is HttpSessionEvent.

Or, would the below approach be right one,
1) Using a Timer in servlet and if the timer reaches a specific elapsed time, I call invalidate() method on the session object and then using request dispatcher, I would route the user to login page.
Doug Braidwood
Ranch Hand

Joined: Apr 04, 2010
Posts: 42
Kumar I think you are mixing up the two things. The http connection is stateless - the browser has no idea about the session objects etc. that are held on the container.
You are going along the right track when you set the timeout on the server. You need to do this, so that after one minute the session becomes invalid (I know some people have pointed out there is not a guarantee it will be in exactly one minute but in my experience it's always very close).

So on the web container side, all you need to do is set the session timeout to one minute. Try this first, wait for say 90 seconds and then refresh your browser. It should ask you to log in again, because the previous session has gone.

Once you have that working you need to look at doing something on the client side. I would suggest that involves sending back a javascript countdown. The countdown's only purpose is to wait the specified interval and then say refresh the page. Session invalidation will have been handled by the container, and the user will see the login screen again.
Kumar Raja
Ranch Hand

Joined: Mar 18, 2010
Posts: 518
    
    2

Doug Braidwood wrote:
So on the web container side, all you need to do is set the session timeout to one minute. Try this first, wait for say 90 seconds and then refresh your browser. It should ask you to log in again, because the previous session has gone.

Once you have that working you need to look at doing something on the client side. I would suggest that involves sending back a javascript countdown. The countdown's only purpose is to wait the specified interval and then say refresh the page. Session invalidation will have been handled by the container, and the user will see the login screen again.


Hi Doug,

Please help me understand , how is container going to route me to login page after say 90 secs. Does it happen automatically, if not, how do we determine if the session is really existing or not after 90 secs. I'm sorry for asking such naive questions, but I could not straighten this out.
David Newton
Author
Rancher

Joined: Sep 29, 2008
Posts: 12617

The container doesn't, the JavaScript (preferably Ajax, otherwise yuck) does.
Doug Braidwood
Ranch Hand

Joined: Apr 04, 2010
Posts: 42
Kumar, I think the first thing to do is get the session timeout working on the server.
For this you need to have the <login-config><auth-method> and the <session-config><session-timeout> elements setup in web.xml
When you have this setup you should find that the first time you request a secured page you need to login.
Then you see the page you wanted, and press f5 and it refreshes without you needing to re-enter authentication details.
Then if you wait at least the timeout interval (a minute) and press f5, now the session has timed out and you are requested for login details again.

This behaviour is fairly straightforward to setup in the container. Have you got this working?
Kumar Raja
Ranch Hand

Joined: Mar 18, 2010
Posts: 518
    
    2

Doug Braidwood wrote:Kumar, I think the first thing to do is get the session timeout working on the server.
For this you need to have the <login-config><auth-method> and the <session-config><session-timeout> elements setup in web.xml
When you have this setup you should find that the first time you request a secured page you need to login.
Then you see the page you wanted, and press f5 and it refreshes without you needing to re-enter authentication details.
Then if you wait at least the timeout interval (a minute) and press f5, now the session has timed out and you are requested for login details again.

This behaviour is fairly straightforward to setup in the container. Have you got this working?


Hi Doug,

I have not checked the thread for couple of days. I will give your suggestion, a try today and let you know, how it worked for me.

Thanks
Amit Savani
Greenhorn

Joined: Mar 02, 2009
Posts: 17
Kumar Raja wrote:
HttpSession session=request.getSession();


Each time you request, above code executes which creates new session every time. So to track if it is timedout or not, you can use session listener mechanism as suggested by Doug Braidwood


Regards
SCJP 1.4, SCBCD 5.0
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60774
    
  65

Amit Savani wrote:
Kumar Raja wrote: HttpSession session=request.getSession();


Each time you request, above code executes which creates new session every time.

That is not correct. You do not create a new session each time you make the call to obtain it.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
David Newton
Author
Rancher

Joined: Sep 29, 2008
Posts: 12617

That's weird--I replied with the same thing and a link to the docs, but I don't see it here. Hrm.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: My http session not expiring after the specified time
 
Similar Threads
Clearing the session.
session timeout
session timeout problem
Automatic Session Expiry
session time out issue it is not get expired in any way