• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Devaka Cooray
  • Tim Cooke
Sheriffs:
  • Rob Spoor
  • Liutauras Vilda
  • paul wheaton
Saloon Keepers:
  • Tim Holloway
  • Tim Moores
  • Mikalai Zaikin
  • Carey Brown
  • Piet Souris
Bartenders:
  • Stephan van Hulst

nice way for Handling session timeouts

 
Rancher
Posts: 4804
7
Mac OS X VI Editor Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I've got an application that uses the Servlet container's session timeout facility and implements a LoginFilter to check the target for the GET/POST. If the target requires a login, the Filter checks that there is appropriate user information in the HttpSession. If not, it dispatches to the usual Login/Register page. All of this works just perfectly.

But the user experience is not ideal. When the session times out, the user is sent to the login page whenever they click on a link within the application. So they click on the "play music" link, and get the standard Login page, without any prompt or error message. When they have cookies enabled and the account setup for automatic login using the cookie, then they are taken to the main landing page. So they are scratching their heads going "why is the music not playing"

A better flow would be to display a page saying "your session has timed out, click here to re-Login"

I'm not finding what I need to do to have either the LoginFilter notice the timeout, or have another filter/function called. The LoginFilter can easily tell that the user is logged in, or not, but not why they are not logged in. Its nicely stateless, which is good in some senses, but not ideal for the user experience.
 
Sheriff
Posts: 67750
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Remember the target URL and parameters in the session (or in hidden parameters), and after a successful login, redirect to that URL.

The user is interrupted in order to log in, but then gets sent to where they originally intended to go.
 
Pat Farrell
Rancher
Posts: 4804
7
Mac OS X VI Editor Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Just to make sure I am understanding your answer:


Are you suggesting that

1) the LoginFilter do the remembering, then
2) dispatch the "re-login page"
3) which the user clicks on the re-login. Then
4) the Login bean can ask the LoginFilter for the old "where to" and do a dispatch again?
 
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
In the login filter you can extract the previous URL from the request by calling request.getRequestUrl();
Store the url in the request/session/cookie and then redirect the user to the login page. This way the login page knows what the previous URL was and can redirect the user to the previous url in case of successfull login.
 
Pat Farrell
Rancher
Posts: 4804
7
Mac OS X VI Editor Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Well, I'm making progress on capturing the requested page (one that requires login) in the LoginFilter, and when the User is not logged in, I can direct them to the login page.

But I'm not seeing any way to detect why the user is not logged in. The LoginFilter sees the request, looks for the existance of the user in the Session, and sees none.

There is no difference between when a user is logged off because they clicked on the "logout" link, session invalidated, etc. and when a timeout happens.

So I'm still not at the initial question: how do I detect timeouts?

 
Bear Bibeault
Sheriff
Posts: 67750
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Oh, I missed that nuance.

Why do you care?

What different semantics do you want to apply when the user logs off versus just times out?
 
Pat Farrell
Rancher
Posts: 4804
7
Mac OS X VI Editor Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Because one case, the user is logged-in, on a page, and goes away for a beer. Comes back, clicks on the "play music" link, and you want to display
a screen "sorry, you have been logged out due to inactivity. we care about your security, we love you, blah blah" and have him click to login

In the other case, if a user enters a URL to a link that requires being logged in, I want to say "Nice that you want to play music, but you have to log in first.

Different use case, different messages to the user.
 
Bear Bibeault
Sheriff
Posts: 67750
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Well, you could do something different than just pull the User instance from the session on logout. Perhaps have a flag that indocates whether he/she is logged in or not. That way, no User in the session means hard timeout.
 
Pat Farrell
Rancher
Posts: 4804
7
Mac OS X VI Editor Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I was hoping, but could not find, that the container would call some listener when it does the timeout.
 
Bear Bibeault
Sheriff
Posts: 67750
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Sure, there are session listeners. Problem is that they execute asynchronously, independent of request.
 
Pat Farrell
Rancher
Posts: 4804
7
Mac OS X VI Editor Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Bear Bibeault wrote:Sure, there are session listeners. Problem is that they execute asynchronously, independent of request.



I'm not seeing that as a problem, there is no request when the session times out. There is a request later, which needs to test if there was a timeout.

I'll ignore the possible race condition of the timeout happening as the user does their next request.
 
Eric Keen
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You can store whether the user is accessing the page the first time or if his session is timed by storing the info in a cookie.

E.g.

If (user not logged in + cookie exists){
means user got logged out in between his work
else{
user accessing the page first time
}

above is simple logic which can be extended....
 
Pat Farrell
Rancher
Posts: 4804
7
Mac OS X VI Editor Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Bear Bibeault wrote:Perhaps have a flag that indocates whether he/she is logged in or not. That way, no User in the session means hard timeout.



I've had that for ages.

I'm missing something.

There are at least three cases here:

1) the user logs out with a suitable command, and then wants to play music
2) the session times out, then the user wants to play music
3) the user comes in from the blue, and wants to play music.

What I'm looking for is a way to have something, the container, etc. tell me that it did the logout.

The other two cases are straight forward.
 
Bear Bibeault
Sheriff
Posts: 67750
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Set a cookie? A flag in the DB?

This isn't a common scenario. Usually logged out just means logged out. Few apps care why.
 
Pat Farrell
Rancher
Posts: 4804
7
Mac OS X VI Editor Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I've got all those things.

I don't really care that no one else cares. I care.

I'm trying to get a HttpSessionListener working, it may help
 
Bear Bibeault
Sheriff
Posts: 67750
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I didn't say you shouldn't care. I pointed that out so that you'd know why no one just popped in with "Here's how I handle that...".
 
Ranch Hand
Posts: 203
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

The problem you are facing can be solved via having session which is managed by you + browser. Following steps can solve this problem:

1. Make the session never expiring
2. Store the your user object on the session object
3. Update the request time on each request but before doing that check for the last visit with the current time-stamp if the difference is greater than your timeout redirect to login page with message A
4. If the object is null redirect with message B

 
We don't have time for this. We've gotta save the moon! Or check this out:
Smokeless wood heat with a rocket mass heater
https://woodheat.net
reply
    Bookmark Topic Watch Topic
  • New Topic