During development we came across such situation where we need to redirect user to session timeout /logout page once session is expired.
Prerequisite was that system should not wait for user interaction to trigger the event, instead it should be automated .
I am unaware whether such solution is already posted in this forum or not but i am posting one which we had implemented .
There may be more optimized solutions :-)
Before we start few facts that needs to be considered .
This solution works on filter, where each url is intercepted by filter , but as per needs it can be configured depending on situation which url should / should not be filtered. Its finally your decision.
Web.xml would be affected .
One common jsp / common.js file that should be present on every jsp page . We used common jsp page which was included as header in page.
This is the sample code where back button / forward button code is not implemented as well as session is not invalidated.
Note:This solution clears session manually but not invalidates.
Due to continuous AJAX poll session will never get invalidated by container, while clearing session we can invalidate it or logout action can be used to invalidate the session
This solution just redirect the idle user to logout page which is not dependent on user interaction.
Entry in web.xml
Because of the fundamental rules of HTTP protocol, you cannot receive an unsolicited http (page) response from any HTTP server (including Java servers). You appear to be aware of that, but I always like to mention it because often people are not.
If you manually manage the server timeout, you can avoid this by using a special poll URL and making the filter skip resetting the session's manual timeout indicator when that URL comes in (the server's timeout indicator will reset regardless, but you can ignore that). The polling does add cost to the server, however. Incidentally, instead of all the header-fu, just have the filter compute the updated timeout timestamp and store it in the session for comparison against poll requests. Less complicated and less likely to be hackable from ill-behaved clients.
A simpler way to do the date comparison is to compute the timeout time as a Date like so:
Where TIMEOUT_INTERVAL = 1000 * 60 * minutes_to_timeout, since it's in milliseconds. Store "expired" as a Session-scope object.
To check for expiration:
An alternative that does not require all the server interaction would be to partition the pages into two parts (using DIVs, for example). One DIV would be normal content, the other would be the timeout display, made invisible. Run the timeout as a time-delay client event in parallel with the normal server timeout, and when the timeout expires, hide (or destroy) the normal content and make the timeout part of the page visible.
An IDE is no substitute for an Intelligent Developer.