Get your CodeRanch badge!*
The moose likes Servlets and the fly likes Redirect to login page on session timeout Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "Redirect to login page on session timeout" Watch "Redirect to login page on session timeout" New topic
Author

Redirect to login page on session timeout

Thyagarajan Ramanujam
Greenhorn

Joined: Mar 24, 2008
Posts: 25
HI,

I would like to redirect to login page on session time out. I looked at HttpSessionListener but I could not find any thing which does this. I looked at some examples which says to check the session whether is it new or not in the servlet. This can be checked only when the user click a link or a button. But in my case, after some period of inactivity, it should automatically redirected to login page.

Any help is appreciated..
Rob Spoor
Sheriff

Joined: Oct 27, 2005
Posts: 19543
    
  16

We've had a thread about this a short while ago: http://www.coderanch.com/t/566179/Servlets/java/Session-time-out-notification
I quote myself from that thread:
I definitely wouldn't want a real-time session invalidation to do anything to my current browser contents. Imagine I log in, start reading a long piece of text, and after a while, while I'm still reading, all of a sudden my browser navigates to this error message page because the session is invalidated. That would be the last time I visited your site.

Still, it would be possible, by having some keep-alive timer in JavaScript that uses AJAX to query some servlet / JSP that will tell whether or not the session is invalidated. But like I said, if you'd do that you will lose a lot of users.


SCJP 1.4 - SCJP 6 - SCWCD 5 - OCEEJBD 6
How To Ask Questions How To Answer Questions
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60053
    
  65

Actually any Ajax solution would not work as the act of making any request resets the session timer.

As has been pointed out many times in other discussions, all you can do is guess on the client.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Rob Spoor
Sheriff

Joined: Oct 27, 2005
Posts: 19543
    
  16

Bear Bibeault wrote:Actually any Ajax solution would not work as the act of making any request resets the session timer.

Didn't even think about that.
Victor M. Pereira
Ranch Hand

Joined: Mar 02, 2012
Posts: 50
But doesn't the HttpSessionListener have a sessionDestroyed method. Can't you implement that one to redirect the user to the error page?

And even if you use the getSession(false) to ask if a session is Alive. Can you apply it like a filter that throws him out if it isn't.

Seeing it as a developer I would think of resource optimization but, as a user I would get annoyed. Unless is an 20 minutes exam or some limited time poll.


regards,
Victor M. Pereira
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60053
    
  65

Victor M. Pereira wrote:But doesn't the HttpSessionListener have a sessionDestroyed method. Can't you implement that one to redirect the user to the error page?

How? There's no request and no response. How are you going to get a connection to the user's system? How do you know that they aren't watching YouTube videos of the Cinnamon Challenge? Or breaking up with their girlfriend or boyfriend on Facebook?
Saurabh Pillai
Ranch Hand

Joined: Sep 12, 2008
Posts: 498
Victor M. Pereira wrote:But doesn't the HttpSessionListener have a sessionDestroyed method. Can't you implement that one to redirect the user to the error page?

ok, so you know session has expired, now what? There is no way to *contact* that user back(unless you want to get the phone number and call them ;-)) HTTP is stateless protocol.

Most people uses Javascript for redirecting to login page. That is also not 100% full-proof solution, as it won't work if website is open across multiple browser tabs.
Victor M. Pereira
Ranch Hand

Joined: Mar 02, 2012
Posts: 50
Nope, your right the only way would be having filter and check if your session isAlive and then sending the correct page depending on the answer.

And the javascript would only work if it's multiple tabs on the same browser. Since the jsession would be the same for all tabs. However as Bear Bibeault pointed out
the ajax would reset the session timer. And just setting the timeout weather its active or not, is unacceptable.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60053
    
  65

Victor M. Pereira wrote:Nope, your right the only way would be having filter and check if your session isAlive and then sending the correct page depending on the answer.

Check for the session "aliveness" is folly. There could very well be another session that has nothing to do with the first. Rather, check for an object that you placed in the session.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Redirect to login page on session timeout
 
Similar Threads
set original page for j_security_check
Original request referer in Action/Interceptor
Redirecting to Login page on session timeout!!
Redirect user to login page after session expires
After Logout still keeping session