Correct way to check Session timeout?

Can anyone help with this?

I want to be able to

1. detect when the session has timed out & force the users back to the home page?

2. (this is the hard one!) prevent users from bookmarking pages (i.e actions) & trying to gain access to the application using these bookmarks without going through the main page first?

many thanks for any help!

cheers

harry

You will not be able to keep people from bookmarking pages. Unless you never refresh the url from the login url. You should assign a filter to the secure section and check the session to see if the user is logged in. If not, send to login page. Check session like this:

In login page, upon login:

request.getSession().setAttribute("loggedIn", new Boolean(true));

In filter

Boolean loggedIn = (Boolean)request.getSession().getAttribute("loggedIn");
if( loggedIn != null || !loggedIn.booleanValue() ) {
response.sendRedirect( "/login.do" );
return;
}

Be sure to return from filter instead of using the normal chain.doFilter method. This will make it not matter if they bookmark or not, as they will be redirected to login.
[ August 09, 2005: Message edited by: Kerry Wilson ]

Part 2 can be solved by using tokens in the Actions that require entry first through the main page. When a user bookmarks a page, the token is not saved with the url.

thanks for your answers chaps!

Marc, can you elaborate a bit on these tokens for me please? - would you happen to have any sample code you could post here?

sorry to sound a bit thick!

many thanks

harry

Action javadoc

You'll primarily use saveToken() and isTokenValid().