Hello,
I have a web application up and running with lot of users. I never looked into session timing out and redirecting to login page. So I did some research and implemented a simple filter where it checks for sessionId and redirects to login page. I tested it out and for a single user/browser it works fine. Now I tried to open multiple browsers with same user/different user and I found out that requstedSessionId value is always same. Lets say I opened one browser, logged in, left it idle and opened second browser did the same thing and doing some functions on second browser. Now after session time out for first browser, I can still do stuff because I guess the session is renewed.
Can you guys advise me on this issue?
code used to check session in the filter:
private boolean isSessionInvalid(HttpServletRequest httpServletRequest) {
boolean sessionInValid = (httpServletRequest.getRequestedSessionId() != null)
&& !httpServletRequest.isRequestedSessionIdValid();
return sessionInValid;
}
Bear Bibeault wrote:Checking the session itself for determining authentication is rife with problems. Don;t do it that way.
Rather, put a value into the session and check for that.
I looked into it but not sure completely how to implement/works. I tried to store user id and last accessed time in a session object. Everytime a request comes in, I caculate the difference(current-lastAccess) in the filter class and if it is less than session timeout I send it to action class otherwise I redirect it to timeout page. I tried to implement this concept but in the filter class when session is timedout (which means session object is not available)and it never made it to this function and went directly to action class. I guess I really didnt get the concept right. Can you please guide me through the process or online resources.
0
