aspose file tools*
The moose likes JSF and the fly likes JSF 2 - Display dialog upon session timeout on ajax calls Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » JSF
Bookmark "JSF 2 - Display dialog upon session timeout on ajax calls" Watch "JSF 2 - Display dialog upon session timeout on ajax calls" New topic
Author

JSF 2 - Display dialog upon session timeout on ajax calls

Swati Sisodia
Greenhorn

Joined: Oct 28, 2007
Posts: 19
Hi all,
I am new to JSF and I am working on handling session timeout for a JSF application.
I am trying to get the code to work for ajax calls and not able to achieve that so far. I have tried two approaches:
Approach 1: SessionListener (for cleanup work) and SessionFilter (for filtering every request and checking if session timed out)
My Code snippet of doFilter() of SessionFilter:


Approach 2: CustomeExceptionHandler handling ViewExpiredException
Code snippet of handle() :


Both these approaches work for non-ajax POST calls but not for ajax calls. When I run my app in debug mode, I can step through all the statements for ajax calls also, which gives me an idea that the control does come to my code, executes it but for some reason, nothing happens on the UI.
I have been trying to redirect user to a timeout page but the ideal thing would be to display a JSF dialog and upon hitting 'OK' take user to Home Screen (My app does not have a login screen.)
I can provide more details if needed.
I have a basic questions also, is view expiring exactly same as session timeout?

Any help would be much appreciated, thanks,
Swati.
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16014
    
  20

JSF doesn't have built-in dialog support, so the only way to get that is via JSF extensions or JavaScript.

AJAX calls reset the session timeout, so you can't poll the server to see if the session is about to timeout - the act of polling inherently means that it won't.

A VIewExpiredException is a JSF internal thing separate from the normal J2EE session timeout.

About the closest you can get is to run a countdown timer on the client side that gets reset whenever the page is refreshed or an AJAX request is about to be made.


Customer surveys are for companies who didn't pay proper attention to begin with.
Swati Sisodia
Greenhorn

Joined: Oct 28, 2007
Posts: 19
Thanks Tim,
That was a good explanation. After spending about 4 days on the problem, I have this feeling that displaying a dialog (and may be a count-down of session timing out) was not easily achievable without some script. I am not a big fan of JavaScript code lying in my JSPs/Facelets.
I found some utility library online built on top of JSF which redirects the user to the error page declared in my deployment descriptor even for ajax calls (not sure if I can name that library here), which solves my purpose for now... but I guess I will get back to this problem later.

Although, I have one thought to put on the table..
The redirection to timeout screen can be done either via handling ViewExpiredException or in plain old Filter class, so, wouldn't it be better to stop an unauthenticated user right at the filter.. before the request even makes it where ViewExpiredException is thrown. I don't want unauthenticated user to go that far.. makes sense?
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16014
    
  20

You should not use ViewExpiredException as a security mechanism. The authoritative basis for security is the HttpSession, not the JSF View. A View can expire while potentially leaving vulnerable information still in the HttpSession.

If you use the container-managed security system that comes with your application server (it's defined as part of the J2EE spec), you'll be able to manage security without a lot of kludging and it will be much more secure than a user-designed login system.
Swati Sisodia
Greenhorn

Joined: Oct 28, 2007
Posts: 19
hmm.. what you said made perfect sense.. I did read up on security part of J2EE spec some time back and agree that is best way to handle authentication.. I guess I was too much into JSF and View Expiring mindset to skip that part.

But what you said made me think this..
I have noticed (in my debugging) that the UI view expires when session is expired and I have been testing this by changing my session timeouts in DD. So, that leaves me wondering.. what decides when a View is expired? Can it be configured in the application like session? Is it a true statement that when the value(s)/data (displayed on my view) changes on the server is when ViewExpiredException is thrown?
(I am fairly new at JSF so pardon me if my questions are too naive.. I have a feeling I need to read up on JSF spec for a better understanding but your explanations are helping Tim)
Erkan Yalcin
Greenhorn

Joined: Mar 30, 2014
Posts: 2
You can use java script for achieving this issue. You can set a timer and when the time is up redirect user to the logout. The java script code is placed in .xhtml document but if you use a .js file you can paste the code in it.

Important code lines and explanations
1.

With this code line we check the logged user info in rendered xhtml. So we sure that user logged in and ready for count down.
2.

With this code line we restart count down again with any ajax request. Becouse in each server request the server side session time is restarted.
3.

At the end of the count down, we redirect current page to the exit page.
4.

If the user clicks yes button to get extra time we send an ajax request using command button and close the additional time dialog. So with this request server side session time will be restarted.
If the user clicks no button, we simply redirect user to the exit page (loggedout.xhtml).

A complete implementation is http://javacodetips.blogspot.com.tr/2014/03/how-to-implement-session-expired-alert.html





Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16014
    
  20

This is a potential security exploit, however. A malicious user could modify the "keep alive" mechanism to keep the user login active when the user thinks that the session has expired. Which is true of anything that does AJAX requests periodically, but it's easier to hide if the app is expected to keep tickling the server.

In fact, if I read this correctly, it extends the window of vulnerability one more session-unit that would otherwise be available.

It also assumes you're using PrimeFaces. For better or worse, many of us are not.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: JSF 2 - Display dialog upon session timeout on ajax calls