File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Tomcat and the fly likes Point to custom session-expired page Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Point to custom session-expired page" Watch "Point to custom session-expired page" New topic

Point to custom session-expired page

David Sheltby
Ranch Hand

Joined: Oct 19, 2011
Posts: 34

I'm using Tomcat's out-of-the-box authentication and as such I define a login-config and form-login-page in my web.xml. Is there a way to configure which page a user is redirected to when a session expires? By default, its the form-login-page, however I would like to inform the user that the session has expired.

Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 17410

Tomcat doesn't "point" to a login page. You cannot invoke the login page via a URL request of that page (the page will display, but the login logic isn't attached to it).

One of the most common ways to defeat Do-It-Yourself security systems is to issue a direct URL request for something that honest people would only be accessing after logging in. J2EE container-managed security frustrates that exploit by automatically intercepting any URL request that accesses a protected URL.

The protected request isn't discarded, however. Once the user has logged in, the original request continues with no knowledge that a login had just occurred or that a login page had ever been displayed.

You cannot display a "you're about to timeout" webpage, since HTTP doesn't allow unsolicited sending of data. You cannot display a "session timed out" page because that's not how security is handled, as explained above. You might be able to put a message on the login page, but I'm not really sure.

What most sites do instead is maintain a client-side timer in JavaScript. When time counts down, they pop up a warning dialog. The script that pops up the warning dialog could, if desired, send an AJAX request to tickle the session and keep it alive (don't forget to restart the counter!).

An IDE is no substitute for an Intelligent Developer.
I agree. Here's the link:
subject: Point to custom session-expired page
It's not a secret anymore!