wood burning stoves 2.0*
The moose likes Tomcat and the fly likes Point to custom session-expired page Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Point to custom session-expired page" Watch "Point to custom session-expired page" New topic
Author

Point to custom session-expired page

David Sheltby
Ranch Hand

Joined: Oct 19, 2011
Posts: 34
Hi,

I'm using Tomcat's out-of-the-box authentication and as such I define a login-config and form-login-page in my web.xml. Is there a way to configure which page a user is redirected to when a session expires? By default, its the form-login-page, however I would like to inform the user that the session has expired.

thanks
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15958
    
  19

Tomcat doesn't "point" to a login page. You cannot invoke the login page via a URL request of that page (the page will display, but the login logic isn't attached to it).

One of the most common ways to defeat Do-It-Yourself security systems is to issue a direct URL request for something that honest people would only be accessing after logging in. J2EE container-managed security frustrates that exploit by automatically intercepting any URL request that accesses a protected URL.

The protected request isn't discarded, however. Once the user has logged in, the original request continues with no knowledge that a login had just occurred or that a login page had ever been displayed.

You cannot display a "you're about to timeout" webpage, since HTTP doesn't allow unsolicited sending of data. You cannot display a "session timed out" page because that's not how security is handled, as explained above. You might be able to put a message on the login page, but I'm not really sure.

What most sites do instead is maintain a client-side timer in JavaScript. When time counts down, they pop up a warning dialog. The script that pops up the warning dialog could, if desired, send an AJAX request to tickle the session and keep it alive (don't forget to restart the counter!).


Customer surveys are for companies who didn't pay proper attention to begin with.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Point to custom session-expired page
 
Similar Threads
Session Time Out
handling session time out
Servlet Error Regarding
Session time out error
on session expire in iframe - open login page in parent window