• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

session timeout filter

 
Greenhorn
Posts: 13
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello,
I have a web application up and running with lot of users. I never looked into session timing out and redirecting to login page. So I did some research and implemented a simple filter where it checks for sessionId and redirects to login page. I tested it out and for a single user/browser it works fine. Now I tried to open multiple browsers with same user/different user and I found out that requstedSessionId value is always same. Lets say I opened one browser, logged in, left it idle and opened second browser did the same thing and doing some functions on second browser. Now after session time out for first browser, I can still do stuff because I guess the session is renewed.
Can you guys advise me on this issue?

code used to check session in the filter:
private boolean isSessionInvalid(HttpServletRequest httpServletRequest) {
boolean sessionInValid = (httpServletRequest.getRequestedSessionId() != null)
&& !httpServletRequest.isRequestedSessionIdValid();
return sessionInValid;
}

Thanks in advance
Tag
 
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Checking the session itself for determining authentication is rife with problems. Don;t do it that way.

Rather, put a value into the session and check for that.
 
ravindranath
Greenhorn
Posts: 13
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Bear Bibeault wrote:Checking the session itself for determining authentication is rife with problems. Don;t do it that way.

Rather, put a value into the session and check for that.



I looked into it but not sure completely how to implement/works. I tried to store user id and last accessed time in a session object. Everytime a request comes in, I caculate the difference(current-lastAccess) in the filter class and if it is less than session timeout I send it to action class otherwise I redirect it to timeout page. I tried to implement this concept but in the filter class when session is timedout (which means session object is not available)and it never made it to this function and went directly to action class. I guess I really didnt get the concept right. Can you please guide me through the process or online resources.

Thanks
 
Author
Posts: 12617
IntelliJ IDE Ruby
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Get the session. Check if the object you're using is in it. If it's not, redirect. If it is, the session is still valid.

You don't need to do anything with the last accessed time--the session will go away on its own.
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
reply
    Bookmark Topic Watch Topic
  • New Topic