Hi,

i need to handle session timeout on Jsp in my application. Currently when session is timeout and user clicks on submit button then a request is send for an JSP. Now on this JSP a new session object is created since existing one is expired. I did not want new session to be get created on JSP if older one is expired.

Any help is appreciated!!!

use session="false" at page directive in the particular page

Hope This Helps

But it will prevent that jsp to participate in any session. As i understand what is required is to not create the session on any jsp invoked after the session has timed-out. What kind of authentication mechanism are you using ?

Whenever session is timedout or becomes invalidate then if the object assocaited with the session has implemented HttpSessionBindingListener interface then this object is notified.

you can use the valueUnbound method and can set some variable in this method which you can use in your JSP.

I didnt try this solution, but i think it should work.

Thnaks

i am using Basic authentication

Not sure what authentication has to do with it, but you haven't stated what you actually want to achieve - that the session should not expire at all, or that -once it has expired- no new one should get created.

The former can be achieved by calling HttpSession.setMaxInactiveInterval

The latter would be very hard, if not impossible, to achieve, and doesn't make much sense to begin with (it denies the user the use of the application).

I'd also note that a new session being created once the old one has expired is standard behavior; why is it not acceptable in your case?

Maybe i'm totally wrong, but i understand the question as "when the session expires i still can access the pages ( whithout being re-authenticated )". If a resource is unprotected and it relays in some session info it can lead to problems. That's why i asked about authentication, but more precise information maybe could avoid misunderstoods.

I guess it could be read that way. It's a feature of basic authentication that the credentials are sent by the browser until the browser is shut down. In that sense, there is no connection between authentication and server session.

I required to show session timeout page when my session is expired on a jsp page say A.jsp.

Now suppose i am on A.jsp page and my session expired and then i click submit on A.jsp. On clicking submit a new request is sent to server for a Jsp say B.jsp. Now instead of showing B.jsp page i need to show session timeout page as my session is expired.

I apply a check on B.jsp page for seesion object, if session is null then redirect to SessionTimeout.jsp page, as my understanding was that if session is expired then obtaining session using request.getSession(false) will result into null but it returns a new session object. Due to this my checks fails and i end up with B.jsp processing.

mmmm.. it should return null. At least that is what the specs claims. Then i'd use a filter.