• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

session timeout filter

 
ravindranath
Greenhorn
Posts: 13
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello,
I have a web application up and running with lot of users. I never looked into session timing out and redirecting to login page. So I did some research and implemented a simple filter where it checks for sessionId and redirects to login page. I tested it out and for a single user/browser it works fine. Now I tried to open multiple browsers with same user/different user and I found out that requstedSessionId value is always same. Lets say I opened one browser, logged in, left it idle and opened second browser did the same thing and doing some functions on second browser. Now after session time out for first browser, I can still do stuff because I guess the session is renewed.
Can you guys advise me on this issue?

code used to check session in the filter:
private boolean isSessionInvalid(HttpServletRequest httpServletRequest) {
boolean sessionInValid = (httpServletRequest.getRequestedSessionId() != null)
&& !httpServletRequest.isRequestedSessionIdValid();
return sessionInValid;
}

Thanks in advance
Tag
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64720
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Checking the session itself for determining authentication is rife with problems. Don;t do it that way.

Rather, put a value into the session and check for that.
 
ravindranath
Greenhorn
Posts: 13
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bear Bibeault wrote:Checking the session itself for determining authentication is rife with problems. Don;t do it that way.

Rather, put a value into the session and check for that.


I looked into it but not sure completely how to implement/works. I tried to store user id and last accessed time in a session object. Everytime a request comes in, I caculate the difference(current-lastAccess) in the filter class and if it is less than session timeout I send it to action class otherwise I redirect it to timeout page. I tried to implement this concept but in the filter class when session is timedout (which means session object is not available)and it never made it to this function and went directly to action class. I guess I really didnt get the concept right. Can you please guide me through the process or online resources.

Thanks
 
David Newton
Author
Rancher
Posts: 12617
IntelliJ IDE Ruby
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Get the session. Check if the object you're using is in it. If it's not, redirect. If it is, the session is still valid.

You don't need to do anything with the last accessed time--the session will go away on its own.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic