• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

handling session time out

 
Ranch Hand
Posts: 85
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
how can we determine whether a session has been timed out. (to redirect to a custom page if session has been timed out.)
using session.isnew() and isRequestedSessionIdValid() methods from HttpServletRequest returns true even before the login.
what is the way to differentiate the two events 1) before login 2) login and session time out.

please suggest appropriate way to do this.
 
Ranch Hand
Posts: 52
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I would say it would basically depend on where you want to check for the session invalidated condition.

For ex-suppose you have the bank account application,wherein a person logs in the does some transactions in his account. I this case after the login servlet assume that you specified a inactive interval for the session in the login page. Now you are in some other servlet2 which uses the help of servlet3. Now in servlet3 assume that it checks if the inactive interval is crossed and this servlet explicitly invalidates the session using session.invalidate(). Now when you return to the servlet2 when you create the session object using HttpSession.getSession(false) which would return an object only if it is already present, which in this case returns null since the session has been invalidated in servlet3 and so you would now redirect the req to a custom page.

The above example is just one of the cases how you would check for invalidation. So your assumption while you create the session is that it is still valid and not been invalidated explicitly by any other servlet or jsp or timed out by the container. So you would check for invalidation only after the login page. I hope this info helps
 
Ranch Hand
Posts: 119
Hibernate Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello,

You can check whether a session has been timed out by checking if an attribute is exists in the session object. This attribute was placed there upon a successful login attempt. When you found no attribute in the session you can redirect the user to a login page.

If you want to listen to session creation or destroy event you could implement an HttpSessionListener.
 
Satish Kumar
Ranch Hand
Posts: 85
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
by setting an attribute in the session, we can determine whether login has occured or not by i wanted to trigger some action when the user logs in and then click on a link in application after exceeding the session time out idle time.
still i am confused about to know exactly the session timeout has occurred ie a request comes in with a session id of that of expired session
 
Ranch Hand
Posts: 893
Tomcat Server Java Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You could use the function request.isRequestedSessionIdValid() from the HttpServletRequest


Request.isRequestedSessionIdValid
 
Satish Kumar
Ranch Hand
Posts: 85
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
i could use HttpServletRequest's isRequestedSessionIdValid() method but it would return false for the first time user request a login page. when user reequests login page for the first time, the method returns false and user will be shown the session expiry page instead of a login page.

i want the user to be shown a login page before logging in (even if the user bookmarks the page after login and opens it in a new browser), he should be shown login page, and if clicks on a link on a session expired page, he should be displayed with session expiry message.

i am wondered about doing at the same time as by using isRequestedSessionIdValid() method, it displays a session expiry page even for the first time.
 
Sheriff
Posts: 13411
Firefox Browser VI Editor Redhat
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by I Wayan Saryada:
Hello,

You can check whether a session has been timed out by checking if an attribute is exists in the session object. This attribute was placed there upon a successful login attempt. When you found no attribute in the session you can redirect the user to a login page.





This, in my opinion, is, by far, the easiest, and more reliable way to do this.
[ January 02, 2008: Message edited by: Ben Souther ]
 
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
isnt httpsessionlistener best way?
 
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Radhakrishna Bhat:
isnt httpsessionlistener best way?



No. A listener is great for performing out-of-band activities upon session timeout, but is rather useless for determining whether the session had timed out during a request. How, for example, would a servlet, or even a filter, use a listener to determine if the session had timed out or not?
 
Satish Kumar
Ranch Hand
Posts: 85
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Ben Souther:




This, in my opinion, is, by far, the easiest, and more reliable way to do this.

[ January 02, 2008: Message edited by: Ben Souther ]



Hi Ben,
this is how i am doing to redirect to login page when user's session has timed out or if the user enter a page (which should accesible after login) url without logging in.
but now how will i redirect to a custom page showing a session expiry message and at the same time redirecting to a login page if accessing a page(which should accesible after login) without logging in.
 
Bear Bibeault
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Satish Kumar:
but now how will i redirect to a custom page showing a session expiry message and at the same time redirecting to a login page if accessing a page(which should accesible after login) without logging in.


Why would you want to show the user a session expiry message page? Most apps will simply forward to the login page so that the user can login. If need be, a message can be placed on the login page telling the user that his or her session has expired, but why make them go through an entire page just for a message?
 
Satish Kumar
Ranch Hand
Posts: 85
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Bear Bibeault:

Why would you want to show the user a session expiry message page? Most apps will simply forward to the login page so that the user can login. If need be, a message can be placed on the login page telling the user that his or her session has expired, but why make them go through an entire page just for a message?



it's true that most application forward to login page. i had a requirement of showing a custom session expiry page from customer. As you said it is good to have a message placed on the login page, but in this way it will be displayed even for the first request.
Now i realize at the server side, there is no option of differentiating whether the request has come for first time or whether the request comes out with timed out session. correct me if this is false (another interesting thing is that even request.getSession(false) returns true in struts framework)
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser VI Editor Redhat
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Satish Kumar:

(another interesting thing is that even request.getSession(false) returns true in struts framework)



In most settings, getSession(false), session.isNew() and session.isSessionValid() are not very useful anymore.
Since JSPs, and many frameworks create sessions by default, you never really know if you've just created the session or if it was created by another part of the app, container, or framework.

Checking for a particular object in session, is very simple and very reliable.
 
Satish Kumar
Ranch Hand
Posts: 85
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Ben Souther:

Checking for a particular object in session, is very simple and very reliable.



i have been doing it by checking for an attribute in session. but i cannot trigger two set of action just by checking an attribute in session.
by checking an attribute in a session, there is now way to know whether to differentiate whether the request has come for first time or whether the request has an session id of a timed out session
 
Remko Strating
Ranch Hand
Posts: 893
Tomcat Server Java Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Ben Souther,

Thanks for your explanation why you wouldn't use a method from the api for checking if a session is not valid. For me it worked fine, but I'm not using a complicated framework.
 
Satish Kumar
Ranch Hand
Posts: 85
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Satish Kumar:


there is now way to know whether to differentiate whether the request has come for first time or whether the request has an session id of a timed out session



Sorry i have mispelt as there is a now way to differentiate. it should be read as no way instead of now way.
infact by using an attribute in session there is no way to differentiate whether the request has come for the first time or with a session id of expired session. in simple words just by setting an attribute in session you cannot trigger two sets of actions.
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser VI Editor Redhat
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Satish Kumar:

...
In simple words just by setting an attribute in session you cannot trigger two sets of actions.



Not true, if your object implements SessionAttributeListener, you can trigger as many actions as you like by setting an attribute.

I don't think this will help you though.
Can you tell us why you care whether the user has just entered the site or has hit the site after the session has expired? Maybe with a little more information about what you're trying to do, someone will be able to suggest a solution.
 
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Satish Kumar wrote:how can we determine whether a session has been timed out. (to redirect to a custom page if session has been timed out.)
using session.isnew() and isRequestedSessionIdValid() methods from HttpServletRequest returns true even before the login.
what is the way to differentiate the two events 1) before login 2) login and session time out.

please suggest appropriate way to do this.



Did you get the solution for this problem? now i am having the same doubt ... if you have any solution means please suggest me..

Thanks in advance
 
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I haven't specifically solved this problem, but I always thought that because the session is going to disappear on you, voided by the container, you would need a placemarker to remind you that the incoming request had been there before.

Therefore, set a Cookie manually, with a bigger maxAge than you know your session will use.

Good luck Devi, and let us know what you find.
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic