I am new to JSF and I am working on handling session timeout for a JSF application.
I am trying to get the code to work for ajax calls and not able to achieve that so far. I have tried two approaches:
Approach 1: SessionListener (for cleanup work) and SessionFilter (for filtering every request and checking if session timed out)
My Code snippet of doFilter() of SessionFilter:
Both these approaches work for non-ajax POST calls but not for ajax calls. When I run my app in debug mode, I can step through all the statements for ajax calls also, which gives me an idea that the control does come to my code, executes it but for some reason, nothing happens on the UI.
I have been trying to redirect user to a timeout page but the ideal thing would be to display a JSF dialog and upon hitting 'OK' take user to Home Screen (My app does not have a login screen.)
I can provide more details if needed.
I have a basic questions also, is view expiring exactly same as session timeout?
Any help would be much appreciated, thanks,
AJAX calls reset the session timeout, so you can't poll the server to see if the session is about to timeout - the act of polling inherently means that it won't.
A VIewExpiredException is a JSF internal thing separate from the normal J2EE session timeout.
About the closest you can get is to run a countdown timer on the client side that gets reset whenever the page is refreshed or an AJAX request is about to be made.
An IDE is no substitute for an Intelligent Developer.
Joined: Oct 28, 2007
I found some utility library online built on top of JSF which redirects the user to the error page declared in my deployment descriptor even for ajax calls (not sure if I can name that library here), which solves my purpose for now... but I guess I will get back to this problem later.
Although, I have one thought to put on the table..
The redirection to timeout screen can be done either via handling ViewExpiredException or in plain old Filter class, so, wouldn't it be better to stop an unauthenticated user right at the filter.. before the request even makes it where ViewExpiredException is thrown. I don't want unauthenticated user to go that far.. makes sense?
You should not use ViewExpiredException as a security mechanism. The authoritative basis for security is the HttpSession, not the JSF View. A View can expire while potentially leaving vulnerable information still in the HttpSession.
If you use the container-managed security system that comes with your application server (it's defined as part of the J2EE spec), you'll be able to manage security without a lot of kludging and it will be much more secure than a user-designed login system.
Joined: Oct 28, 2007
hmm.. what you said made perfect sense.. I did read up on security part of J2EE spec some time back and agree that is best way to handle authentication.. I guess I was too much into JSF and View Expiring mindset to skip that part.
But what you said made me think this..
I have noticed (in my debugging) that the UI view expires when session is expired and I have been testing this by changing my session timeouts in DD. So, that leaves me wondering.. what decides when a View is expired? Can it be configured in the application like session? Is it a true statement that when the value(s)/data (displayed on my view) changes on the server is when ViewExpiredException is thrown?
(I am fairly new at JSF so pardon me if my questions are too naive.. I have a feeling I need to read up on JSF spec for a better understanding but your explanations are helping Tim)
You can use java script for achieving this issue. You can set a timer and when the time is up redirect user to the logout. The java script code is placed in .xhtml document but if you use a .js file you can paste the code in it.
Important code lines and explanations 1.
With this code line we check the logged user info in rendered xhtml. So we sure that user logged in and ready for count down.
With this code line we restart count down again with any ajax request. Becouse in each server request the server side session time is restarted.
At the end of the count down, we redirect current page to the exit page.
If the user clicks yes button to get extra time we send an ajax request using command button and close the additional time dialog. So with this request server side session time will be restarted.
If the user clicks no button, we simply redirect user to the exit page (loggedout.xhtml).
This is a potential security exploit, however. A malicious user could modify the "keep alive" mechanism to keep the user login active when the user thinks that the session has expired. Which is true of anything that does AJAX requests periodically, but it's easier to hide if the app is expected to keep tickling the server.
In fact, if I read this correctly, it extends the window of vulnerability one more session-unit that would otherwise be available.
It also assumes you're using PrimeFaces. For better or worse, many of us are not.