This week's book giveaway is in the OCPJP forum.
We're giving away four copies of OCA/OCP Java SE 7 Programmer I & II Study Guide and have Kathy Sierra & Bert Bates on-line!
See this thread for details.
The moose likes JSP and the fly likes Session Advice Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of OCA/OCP Java SE 7 Programmer I & II Study Guide this week in the OCPJP forum!
JavaRanch » Java Forums » Java » JSP
Bookmark "Session Advice" Watch "Session Advice" New topic
Author

Session Advice

colin shuker
Ranch Hand

Joined: Apr 11, 2005
Posts: 744
Hi, I'm not sure the best way to handle this...

When a user loads a web page in the web app, a session object is created,
I believe the ID of this object stays the same which ever servlet or jsp the user is at.

Supposing the user, presses a LOG OUT button, then we could call session.close(),
and a SessionListener could invoke sessionDestroyed() to tidy up.

But what if the user just closes the browser, this doesn't seem to close the session.

Also I noticed if the user then opens the browser and goes back to the web app, the session ID
is still the same as when they left.

In the context I keep track of who is logged in, so if users just close browser, they will still be logged in,
and therefore won't be able to log in again.


I guess this is a common problem, is there any solutions? Thanks
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61447
    
  67

You just have to wait for the session to timeout, so set the timeout value to something you can live with.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Vikas Kapoor
Ranch Hand

Joined: Aug 16, 2007
Posts: 1374
But what if the user just closes the browser, this doesn't seem to close the session.

May not be right away. But server would definitely close the session after session-time-out period. It is the time that you set in web.xml.

Also I noticed if the user then opens the browser and goes back to the web app, the session ID is still the same as when they left.

Because the session has not yet been timed out on server.

In the context I keep track of who is logged in, so if users just close browser, they will still be logged in,and therefore won't be able to log in again.

Nope they would be able to log in after her session times out.

Remember one thing no matter what happens on client side (browser) , session would expire after time out period if there is no activity (request to server from that client).
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12809
    
    5
I believe the ID of this object stays the same which ever servlet or jsp the user is at.


Only true as long as the user stays within the same web application.

Bill
colin shuker
Ranch Hand

Joined: Apr 11, 2005
Posts: 744
I'm still confused about dealing with sessions...

Suppose in web.xml we set the Session Timeout to say 10 mins, then if the user doesn't log out but closes the browser, their session will still exist for at most 10 minutes which is fine. I have it set up so the user can only log in once, so in this case, the user would have to wait till timeout before logging back in.

My concern is when the user doesn't log out or close the browser, but is away from the pc, triggering the session timeout.
My session listener removes attributes added to the session, so these will be removed.
So what if the user presses a button to take them to a servlet, requiring these session attributes, I don't know the correct way of dealing with this.

Perhaps somehow run a test in each jsp or servlet to see if there are any session attributes, indicating theres no session, so the user can be logged out, but this doesn't seem right to put this in each jsp or servlet.


What springs to mind are online banking and paypal, where the user can no longer use the site if they are inactive for too long.

Can anyone advise on how to handle this, thanks.

Hebert Coelho
Ranch Hand

Joined: Jul 14, 2010
Posts: 754

In your case, if the user leaves the computer to play some card game and returns after 11 minutes he will have to login again.

You might use cookies and save some data there. It will be just like that checkbox you in some login pages "remember me". It can store data like isValidate=true and then you can recover that. BUT, the user must enable it's cookies.


[uaiHebert.com] [Full WebApplication JSF EJB JPA JAAS with source code to download] One Table Per SubClass [Web/JSF]
colin shuker
Ranch Hand

Joined: Apr 11, 2005
Posts: 744
Thanks, but my issue is the webpage he was on before he went to play cards will still be there when he gets back.

And all the buttons etc. etc on that page will still be functional even though the session has been closed, so that pressing a button to go to a servlet would probably be a problem if theres no session, I'm not sure how to deal with this.

Thanks
Hebert Coelho
Ranch Hand

Joined: Jul 14, 2010
Posts: 754

Once the user makes a request, you validate the user and set up everything he needs.
Let's suppose that you will need to check if the user has access to the button "Save". You will see if there is a valid user in the session, and in this method you check if in the cookie, the user is already validate. And your page will act like if the user never had hes session "exploded".

If he leaves the PC and anybody touches it, there is no reason to buttons disappear.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61447
    
  67

Use a filter to check for valid credentials. Whenever there are no credentials in the session forward or redirect to the login.
colin shuker
Ranch Hand

Joined: Apr 11, 2005
Posts: 744
Ok, I haven't used filters before, I just put one in to test....


And set the deployment descriptor accordingly, with a ServletMapping to LoginServlet.

When I try to access LoginServlet, I can see the filter has been executed as the text in the code above gets written to the console,
But the screen is white, the LoginServlet is not executed.

Do I need to use request.getRequestDispatcher(...); at the end of the doFilter method? Thanks
Hebert Coelho
Ranch Hand

Joined: Jul 14, 2010
Posts: 754

Remove the comment from chain.doFilter(request, wrapper); and try it again! =D

Study a little bit about it! [=
colin shuker
Ranch Hand

Joined: Apr 11, 2005
Posts: 744
ok, I commented that cause 'wrapper' didn't exist, I've changed the code to...


This works fine when the user is authorized. But theres a problem when they aren't cause my jsp page that ultimatley invokes this Filter uses ajax,
and what happens is instead of the index.jsp page being loaded, the index.jsp page ends up inside a row in the TABLE of the jsp page.

I think information sent to a servlet with ajax is different than when using a normal form, cause the ajax wants to retrieve something from the servlet.

I'm not sure if theres a way round this, maybe I can't use the Filter, and just have to manually redirect the user to index.jsp (if not authorized) inside the servlet using sendRedirect / requestDispatcher.

Any thoughts? Thanks

Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61447
    
  67

colin shuker wrote:I think information sent to a servlet with ajax is different than when using a normal form

You think incorrectly. A request made with Ajax is the same as any other request. The purpose of the request may be different, but the request itself is the same.

When using Ajax, the filter can return an error that the client can check for and redirect to the login page if the authentication has expired.
colin shuker
Ranch Hand

Joined: Apr 11, 2005
Posts: 744
Thanks, but I don't get how the filter can return an error.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61447
    
  67

response.sendError()
colin shuker
Ranch Hand

Joined: Apr 11, 2005
Posts: 744
Doesn't work cause the response parameter is ServletResponse, not HttpServletResponse.

I tried casting it to HttpServletResponse, but nothing seems to happen when filter gets run.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61447
    
  67

Then debug it.
colin shuker
Ranch Hand

Joined: Apr 11, 2005
Posts: 744
Can't debug it cause I don't know whats supposed to happen. I'll do it without filters
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61447
    
  67

Just throwing your hands up in the air doesn't get anyone anywhere.

Filters or not are moot. A response is a response.

Have you inspected the response that's returned? Have you verified that it contains an error code? It's easy to check for this error code when using Ajax.
colin shuker
Ranch Hand

Joined: Apr 11, 2005
Posts: 744
Heres the doFilter code


Once the session times out, and I press the button on the ajaxpage.jsp, all that happens is NOT AUTHORISED is outputted.
There is no change in the browser at all.

Using the requestDispatcher code thats commented out, this would return one long string of all the html in index.jsp into the ajaxpage.jsp
page. So I donno what to do here.
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
 
subject: Session Advice