I am new to JSF and I am working on handling session timeout for a JSF application.
I am trying to get the code to work for ajax calls and not able to achieve that so far. I have tried two approaches:
Approach 1: SessionListener (for cleanup work) and SessionFilter (for filtering every request and checking if session timed out)
My Code snippet of doFilter() of SessionFilter:
Both these approaches work for non-ajax POST calls but not for ajax calls. When I run my app in debug mode, I can step through all the statements for ajax calls also, which gives me an idea that the control does come to my code, executes it but for some reason, nothing happens on the UI.
I have been trying to redirect user to a timeout page but the ideal thing would be to display a JSF dialog and upon hitting 'OK' take user to Home Screen (My app does not have a login screen.)
I can provide more details if needed.
I have a basic questions also, is view expiring exactly same as session timeout?
Any help would be much appreciated, thanks,
AJAX calls reset the session timeout, so you can't poll the server to see if the session is about to timeout - the act of polling inherently means that it won't.
A VIewExpiredException is a JSF internal thing separate from the normal J2EE session timeout.
About the closest you can get is to run a countdown timer on the client side that gets reset whenever the page is refreshed or an AJAX request is about to be made.
Customer surveys are for companies who didn't pay proper attention to begin with.
Joined: Oct 28, 2007
I found some utility library online built on top of JSF which redirects the user to the error page declared in my deployment descriptor even for ajax calls (not sure if I can name that library here), which solves my purpose for now... but I guess I will get back to this problem later.
Although, I have one thought to put on the table..
The redirection to timeout screen can be done either via handling ViewExpiredException or in plain old Filter class, so, wouldn't it be better to stop an unauthenticated user right at the filter.. before the request even makes it where ViewExpiredException is thrown. I don't want unauthenticated user to go that far.. makes sense?
You should not use ViewExpiredException as a security mechanism. The authoritative basis for security is the HttpSession, not the JSF View. A View can expire while potentially leaving vulnerable information still in the HttpSession.
If you use the container-managed security system that comes with your application server (it's defined as part of the J2EE spec), you'll be able to manage security without a lot of kludging and it will be much more secure than a user-designed login system.
Joined: Oct 28, 2007
hmm.. what you said made perfect sense.. I did read up on security part of J2EE spec some time back and agree that is best way to handle authentication.. I guess I was too much into JSF and View Expiring mindset to skip that part.
But what you said made me think this..
I have noticed (in my debugging) that the UI view expires when session is expired and I have been testing this by changing my session timeouts in DD. So, that leaves me wondering.. what decides when a View is expired? Can it be configured in the application like session? Is it a true statement that when the value(s)/data (displayed on my view) changes on the server is when ViewExpiredException is thrown?
(I am fairly new at JSF so pardon me if my questions are too naive.. I have a feeling I need to read up on JSF spec for a better understanding but your explanations are helping Tim)