At work, a requirement came in to handle session timeouts gracefully across our entire application. Some of our application does so already. But for the screens that are not, I suggested that the tean implement a request filter to validate the session on every request since that was in essence what the requirement called for.
I heard back later from the team that they had decided against my suggestion becuase it would hurt performance ( I am not sure if they actually tested this or not). They only added the logic to our controller
servlet which solves the requirement for many screens but not all. And today, I have QA staff complaining of null pointer errors on the pages that don't go through the controller when they let the session time out. I am having to explain to them why the null pointers exceptions are not due to my code.
Anyway, can anyone say if it was a bad idea to use a request filter to validate the session for all requests? I've already pointed out the downsides of the way it was implemented.