• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Session Advice

 
colin shuker
Ranch Hand
Posts: 750
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi, I'm not sure the best way to handle this...

When a user loads a web page in the web app, a session object is created,
I believe the ID of this object stays the same which ever servlet or jsp the user is at.

Supposing the user, presses a LOG OUT button, then we could call session.close(),
and a SessionListener could invoke sessionDestroyed() to tidy up.

But what if the user just closes the browser, this doesn't seem to close the session.

Also I noticed if the user then opens the browser and goes back to the web app, the session ID
is still the same as when they left.

In the context I keep track of who is logged in, so if users just close browser, they will still be logged in,
and therefore won't be able to log in again.


I guess this is a common problem, is there any solutions? Thanks
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64719
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You just have to wait for the session to timeout, so set the timeout value to something you can live with.
 
Vikas Kapoor
Ranch Hand
Posts: 1374
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
But what if the user just closes the browser, this doesn't seem to close the session.

May not be right away. But server would definitely close the session after session-time-out period. It is the time that you set in web.xml.

Also I noticed if the user then opens the browser and goes back to the web app, the session ID is still the same as when they left.

Because the session has not yet been timed out on server.

In the context I keep track of who is logged in, so if users just close browser, they will still be logged in,and therefore won't be able to log in again.

Nope they would be able to log in after her session times out.

Remember one thing no matter what happens on client side (browser) , session would expire after time out period if there is no activity (request to server from that client).
 
William Brogden
Author and all-around good cowpoke
Rancher
Posts: 13058
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I believe the ID of this object stays the same which ever servlet or jsp the user is at.


Only true as long as the user stays within the same web application.

Bill
 
colin shuker
Ranch Hand
Posts: 750
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm still confused about dealing with sessions...

Suppose in web.xml we set the Session Timeout to say 10 mins, then if the user doesn't log out but closes the browser, their session will still exist for at most 10 minutes which is fine. I have it set up so the user can only log in once, so in this case, the user would have to wait till timeout before logging back in.

My concern is when the user doesn't log out or close the browser, but is away from the pc, triggering the session timeout.
My session listener removes attributes added to the session, so these will be removed.
So what if the user presses a button to take them to a servlet, requiring these session attributes, I don't know the correct way of dealing with this.

Perhaps somehow run a test in each jsp or servlet to see if there are any session attributes, indicating theres no session, so the user can be logged out, but this doesn't seem right to put this in each jsp or servlet.


What springs to mind are online banking and paypal, where the user can no longer use the site if they are inactive for too long.

Can anyone advise on how to handle this, thanks.

 
Hebert Coelho
Ranch Hand
Posts: 754
Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In your case, if the user leaves the computer to play some card game and returns after 11 minutes he will have to login again.

You might use cookies and save some data there. It will be just like that checkbox you in some login pages "remember me". It can store data like isValidate=true and then you can recover that. BUT, the user must enable it's cookies.
 
colin shuker
Ranch Hand
Posts: 750
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks, but my issue is the webpage he was on before he went to play cards will still be there when he gets back.

And all the buttons etc. etc on that page will still be functional even though the session has been closed, so that pressing a button to go to a servlet would probably be a problem if theres no session, I'm not sure how to deal with this.

Thanks
 
Hebert Coelho
Ranch Hand
Posts: 754
Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Once the user makes a request, you validate the user and set up everything he needs.
Let's suppose that you will need to check if the user has access to the button "Save". You will see if there is a valid user in the session, and in this method you check if in the cookie, the user is already validate. And your page will act like if the user never had hes session "exploded".

If he leaves the PC and anybody touches it, there is no reason to buttons disappear.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64719
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Use a filter to check for valid credentials. Whenever there are no credentials in the session forward or redirect to the login.
 
colin shuker
Ranch Hand
Posts: 750
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ok, I haven't used filters before, I just put one in to test....


And set the deployment descriptor accordingly, with a ServletMapping to LoginServlet.

When I try to access LoginServlet, I can see the filter has been executed as the text in the code above gets written to the console,
But the screen is white, the LoginServlet is not executed.

Do I need to use request.getRequestDispatcher(...); at the end of the doFilter method? Thanks
 
Hebert Coelho
Ranch Hand
Posts: 754
Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Remove the comment from chain.doFilter(request, wrapper); and try it again! =D

Study a little bit about it! [=
 
colin shuker
Ranch Hand
Posts: 750
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
ok, I commented that cause 'wrapper' didn't exist, I've changed the code to...


This works fine when the user is authorized. But theres a problem when they aren't cause my jsp page that ultimatley invokes this Filter uses ajax,
and what happens is instead of the index.jsp page being loaded, the index.jsp page ends up inside a row in the TABLE of the jsp page.

I think information sent to a servlet with ajax is different than when using a normal form, cause the ajax wants to retrieve something from the servlet.

I'm not sure if theres a way round this, maybe I can't use the Filter, and just have to manually redirect the user to index.jsp (if not authorized) inside the servlet using sendRedirect / requestDispatcher.

Any thoughts? Thanks

 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64719
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
colin shuker wrote:I think information sent to a servlet with ajax is different than when using a normal form

You think incorrectly. A request made with Ajax is the same as any other request. The purpose of the request may be different, but the request itself is the same.

When using Ajax, the filter can return an error that the client can check for and redirect to the login page if the authentication has expired.
 
colin shuker
Ranch Hand
Posts: 750
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks, but I don't get how the filter can return an error.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64719
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
response.sendError()
 
colin shuker
Ranch Hand
Posts: 750
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Doesn't work cause the response parameter is ServletResponse, not HttpServletResponse.

I tried casting it to HttpServletResponse, but nothing seems to happen when filter gets run.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64719
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Then debug it.
 
colin shuker
Ranch Hand
Posts: 750
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Can't debug it cause I don't know whats supposed to happen. I'll do it without filters
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64719
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Just throwing your hands up in the air doesn't get anyone anywhere.

Filters or not are moot. A response is a response.

Have you inspected the response that's returned? Have you verified that it contains an error code? It's easy to check for this error code when using Ajax.
 
colin shuker
Ranch Hand
Posts: 750
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Heres the doFilter code


Once the session times out, and I press the button on the ajaxpage.jsp, all that happens is NOT AUTHORISED is outputted.
There is no change in the browser at all.

Using the requestDispatcher code thats commented out, this would return one long string of all the html in index.jsp into the ajaxpage.jsp
page. So I donno what to do here.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic