wood burning stoves 2.0*
The moose likes Servlets and the fly likes session timeout filter Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of The Java EE 7 Tutorial Volume 1 or Volume 2 this week in the Java EE forum
or jQuery UI in Action in the JavaScript forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "session timeout filter" Watch "session timeout filter" New topic
Author

session timeout filter

ravindranath
Greenhorn

Joined: Nov 07, 2004
Posts: 13
Hello,
I have a web application up and running with lot of users. I never looked into session timing out and redirecting to login page. So I did some research and implemented a simple filter where it checks for sessionId and redirects to login page. I tested it out and for a single user/browser it works fine. Now I tried to open multiple browsers with same user/different user and I found out that requstedSessionId value is always same. Lets say I opened one browser, logged in, left it idle and opened second browser did the same thing and doing some functions on second browser. Now after session time out for first browser, I can still do stuff because I guess the session is renewed.
Can you guys advise me on this issue?

code used to check session in the filter:
private boolean isSessionInvalid(HttpServletRequest httpServletRequest) {
boolean sessionInValid = (httpServletRequest.getRequestedSessionId() != null)
&& !httpServletRequest.isRequestedSessionIdValid();
return sessionInValid;
}

Thanks in advance
Tag
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61064
    
  66

Checking the session itself for determining authentication is rife with problems. Don;t do it that way.

Rather, put a value into the session and check for that.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
ravindranath
Greenhorn

Joined: Nov 07, 2004
Posts: 13
Bear Bibeault wrote:Checking the session itself for determining authentication is rife with problems. Don;t do it that way.

Rather, put a value into the session and check for that.


I looked into it but not sure completely how to implement/works. I tried to store user id and last accessed time in a session object. Everytime a request comes in, I caculate the difference(current-lastAccess) in the filter class and if it is less than session timeout I send it to action class otherwise I redirect it to timeout page. I tried to implement this concept but in the filter class when session is timedout (which means session object is not available)and it never made it to this function and went directly to action class. I guess I really didnt get the concept right. Can you please guide me through the process or online resources.

Thanks
David Newton
Author
Rancher

Joined: Sep 29, 2008
Posts: 12617

Get the session. Check if the object you're using is in it. If it's not, redirect. If it is, the session is still valid.

You don't need to do anything with the last accessed time--the session will go away on its own.
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: session timeout filter