• Post Reply Bookmark Topic Watch Topic
  • New Topic

testing to see if a session has expired

 
Denise Smith
Ranch Hand
Posts: 36
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
using jsf how can I test to see if a session has expired? I can test for a new session how do I test toi see if a session is no longer available??

Seems like this should be easy:

ExternalContext ec = facesContext.getExternalContext();

Object requestObject = ec.getRequest();
HttpServletRequest req = (HttpServletRequest) requestObject;
session = req.getsession();
if(session.------now what)
 
Tim Holloway
Bartender
Posts: 18417
60
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Somebody asked this just the other day. A client can't tell is a session is expired. Here's why:

HTTP does not support unsolicted client responses. An HTTP client only gets a response when a request has been made.

An HTTP request automatically resets the session timeout. So whenever you make any sort of HTTP request -- including a timeout test -- one of the following things will happen:

1. The request timer will have been reset, so the answer will always be that the timer has (almost) the entire timeout interval to go.

2. The request timer will have expired already, in which case the user will have been logged out and his/her sessions already invalidated.

JSF session management is based on J2EE session management, so generally what's true about one is true about the other.
 
Denise Smith
Ranch Hand
Posts: 36
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
so how are developers redirecting thier uses to login pages when the session timesout?
 
Ryan Lubke
Ranch Hand
Posts: 36
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Denise Smith:
so how are developers redirecting thier uses to login pages when the session timesout?


With JSF 1.2, it's a bit easier. When using server-side state saving and the session times out, a ViewExpiredException will be thrown. This exception can be caught by the web application error-page functionality. Your error page could simply redirect to the login section.
 
Tim Holloway
Bartender
Posts: 18417
60
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Denise Smith:
so how are developers redirecting thier uses to login pages when the session timesout?


Well, I prefer container-based authentication. That method is automatic - if the session was expired, the appserver will automatically redirect to the login page, then back to the originally-requested page (assuming the user logged in OK). In fact, it's one reason I recommend CBA - because you don't have to install a custom filter or add login code to each and every page (and thus risk a security hole when you forget one).

In the olden days, if you didn't use container-based authentication you'd attempt to get the session using a get option of "false", which would then fail if the session didn't exist (either prior to login or after time-out). After that, you'd add logic as desired.

Ryan has indicated that now JSF has a helper facility. I haven't worked with JSF 1.2 yet, so I don't know if it has any special requirements or limitations, but it probably fits better in a JSF framework than brute-force access to the server session object.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!