Suppose in web.xml we set the Session Timeout to say 10 mins, then if the user doesn't log out but closes the browser, their session will still exist for at most 10 minutes which is fine. I have it set up so the user can only log in once, so in this case, the user would have to wait till timeout before logging back in.
My concern is when the user doesn't log out or close the browser, but is away from the pc, triggering the session timeout.
My session listener removes attributes added to the session, so these will be removed.
So what if the user presses a button to take them to a servlet, requiring these session attributes, I don't know the correct way of dealing with this.
Perhaps somehow run a test in each jsp or servlet to see if there are any session attributes, indicating theres no session, so the user can be logged out, but this doesn't seem right to put this in each jsp or servlet.
What springs to mind are online banking and paypal, where the user can no longer use the site if they are inactive for too long.
In your case, if the user leaves the computer to play some card game and returns after 11 minutes he will have to login again.
Thanks, but my issue is the webpage he was on before he went to play cards will still be there when he gets back.
And all the buttons etc. etc on that page will still be functional even though the session has been closed, so that pressing a button to go to a servlet would probably be a problem if theres no session, I'm not sure how to deal with this.
Once the user makes a request, you validate the user and set up everything he needs.
Let's suppose that you will need to check if the user has access to the button "Save". You will see if there is a valid user in the session, and in this method you check if in the cookie, the user is already validate. And your page will act like if the user never had hes session "exploded".
If he leaves the PC and anybody touches it, there is no reason to buttons disappear.
Remove the comment from chain.doFilter(request, wrapper); and try it again! =D
Study a little bit about it! [=
Joined: Apr 11, 2005
ok, I commented that cause 'wrapper' didn't exist, I've changed the code to...
This works fine when the user is authorized. But theres a problem when they aren't cause my jsp page that ultimatley invokes this Filter uses ajax,
and what happens is instead of the index.jsp page being loaded, the index.jsp page ends up inside a row in the TABLE of the jsp page.
I think information sent to a servlet with ajax is different than when using a normal form, cause the ajax wants to retrieve something from the servlet.
I'm not sure if theres a way round this, maybe I can't use the Filter, and just have to manually redirect the user to index.jsp (if not authorized) inside the servlet using sendRedirect / requestDispatcher.