Win a copy of Programmer's Guide to Java SE 8 Oracle Certified Associate (OCA) this week in the OCAJP forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

My http session not expiring after the specified time

 
Kumar Raja
Ranch Hand
Posts: 547
2
Hibernate Java Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I'm trying to understand Session-Timeout in web.xml to check, what exactly would happen if the time is elapsed. I'm not what mistake I'm doing here ,but my Http session does not seem to expire. Please advice



My web.xml is as follows


I'm trying to refresh my browser for every one min, but could not see my session expiring.

 
David Newton
Author
Rancher
Posts: 12617
IntelliJ IDE Ruby
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You might just be misunderstanding the nature of the isNew() method.
 
William Brogden
Author and all-around good cowpoke
Rancher
Posts: 13071
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
session-timeout is NOT a guarantee, it tells the container something like this:

The next time you happen to look through the existing sessions, if the session has been inactive longer than this number of minutes, it is eligible to be destroyed.

Bill
 
Prabhat Shankar
Greenhorn
Posts: 27
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

It seems to be correct ...Seesion time out should happen after 1 minute.

Otherwise you can use below method in your servlet for session time out it will help:
session.setMaxInactiveInterval(1*60);
 
Kumar Raja
Ranch Hand
Posts: 547
2
Hibernate Java Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
David Newton wrote:You might just be misunderstanding the nature of the isNew() method.


Please advice, what does it mean? Where am I making a mistake in understanding this? In API, it is mentioned that


Returns true if the client does not yet know about the session or if the client chooses not to join the session.


From my code

I'm checking if session is new, which I thought means client is not yet aware of his session and then adding a new attribute. But some where I read that, if the session is expired, then all the assigned attributes are lost. With this knowledge, I thought of checking if the attribute is null or not. if it is null, then it means the session is expired. But apparently I lack enough knowledge here in understanding this.

As pointed above, does it matter if we set the session interval using setMaxInactiveInterval(). How is this going to be different from Session-Timeout element in web.xml.

What should be done here, to throw the user to logout page, if the session is really no longer valid.

Also, I see a flaw in my code apart from its existing errors. I'm pushing the user to logout page, with an assumption that session is no longer valid. I'm thinking that I should call session invalidate() method instead. But how do I know, when to call this method and can I call requestdispatcher on a request, where the associated session has been expired.

 
Doug Braidwood
Ranch Hand
Posts: 42
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
As far as I'm aware setting in web.xml (in minutes) or setting it programmatically with setMaxInactiveInterval (in seconds) is no different.

What I am a bit confused about is what you are wanting to happen.
After one minute the session will be invalid, and so the isNew() test will return true, also the session attributes will have been cleared.
With your code there, if you press f5 (refresh) after less than one minute I would expect it to log "Session is old" and if you press f5 after more than one minute the session will have timed out and you will see "Session is new" (and a new session will be created).

In my application I have also used HttpSessionListener which is triggered whenever a session is created or destroyed



 
Kumar Raja
Ranch Hand
Posts: 547
2
Hibernate Java Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

What I am a bit confused about is what you are wanting to happen.
After one minute the session will be invalid, and so the isNew() test will return true, also the session attributes will have been cleared.
With your code there, if you press f5 (refresh) after less than one minute I would expect it to log "Session is old" and if you press f5 after more than one minute the session will have timed out and you will see "Session is new" (and a new session will be created).


I think, I'm following what you are saying here and also figured out what was going wrong with my code. After 1 min, the session would have invalidated, but when I refresh, it created a new session and isNew() is true... So, I never got to a point, where it throws me to logout.jsp.

Is my understanding correct.

As I read, sessionlistener is a better approach to handle events associated with session life cycle. I will implement that and see how it works for me.

Thank you all.
 
William Brogden
Author and all-around good cowpoke
Rancher
Posts: 13071
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
After 1 min, the session would have invalidated


That is NOT guaranteed - as I said before, you should not expect that after exactly one minute the session will be invalidated. The servlet container is allowed to invalidate the session when it gets around to it.

Bill
 
David Newton
Author
Rancher
Posts: 12617
IntelliJ IDE Ruby
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If that servlet container is anything like me... that session's *never* going to be invalidated.
 
Doug Braidwood
Ranch Hand
Posts: 42
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm just trying to understand the bit you are saying about being shown the logout page.

On my application you log in, a session is created and you can view your personal data. If you do not do anything, that is you do not send any further requests to the server, then after the session timeout your session will no longer be valid. In this case your personal data remains on the browser screen (the browser knows nothing about the timeout) until you click on a link or something and then a request reaches the server and the server says that the session is no longer valid.

It sounds like what you are wanting is the sort of situation like some online banks, where after a period of inactivity in the browser itself you are taken to a logout screen. If this is the case then I would have thought you need something running in the browser such as a javascript function to countdown.

Does that make sense? Invalidating the session on the web container will not affect the browser until it attempts to communicate with the container again.
 
Kumar Raja
Ranch Hand
Posts: 547
2
Hibernate Java Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
David Newton wrote:If that servlet container is anything like me... that session's *never* going to be invalidated.


Hi David,

What I'm trying to achieve here, if there is no activity from the client, then the session should be invalidated and as Doug mentioned, may be a javascript would do that part. In some web applications, I have seen application routing you back to login page, if your session is gone. I'm trying to implement the same. How can this be achieved.

@Doug,

Thanks for suggesting me on using Javascript, if I have to check the session validity from browser. But as I mentioned, what I'm exactly looking for is, to route the user back to login page (I used logout page very loosely here). Ideally what I wanted is to route back the user to some point where he needs to start over, if he did not perform any action for a definite amount of time. I hope, I made my question clear now.
 
Kumar Raja
Ranch Hand
Posts: 547
2
Hibernate Java Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Or using the HttpSessionListener, container would call sessionDetroyed(), if the session is really timed out and throw him back to login page. But how do I get a RequestDispatcher in sessionDestroyed() method.All I get is HttpSessionEvent.

Or, would the below approach be right one,
1) Using a Timer in servlet and if the timer reaches a specific elapsed time, I call invalidate() method on the session object and then using request dispatcher, I would route the user to login page.
 
Doug Braidwood
Ranch Hand
Posts: 42
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Kumar I think you are mixing up the two things. The http connection is stateless - the browser has no idea about the session objects etc. that are held on the container.
You are going along the right track when you set the timeout on the server. You need to do this, so that after one minute the session becomes invalid (I know some people have pointed out there is not a guarantee it will be in exactly one minute but in my experience it's always very close).

So on the web container side, all you need to do is set the session timeout to one minute. Try this first, wait for say 90 seconds and then refresh your browser. It should ask you to log in again, because the previous session has gone.

Once you have that working you need to look at doing something on the client side. I would suggest that involves sending back a javascript countdown. The countdown's only purpose is to wait the specified interval and then say refresh the page. Session invalidation will have been handled by the container, and the user will see the login screen again.
 
Kumar Raja
Ranch Hand
Posts: 547
2
Hibernate Java Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Doug Braidwood wrote:
So on the web container side, all you need to do is set the session timeout to one minute. Try this first, wait for say 90 seconds and then refresh your browser. It should ask you to log in again, because the previous session has gone.

Once you have that working you need to look at doing something on the client side. I would suggest that involves sending back a javascript countdown. The countdown's only purpose is to wait the specified interval and then say refresh the page. Session invalidation will have been handled by the container, and the user will see the login screen again.


Hi Doug,

Please help me understand , how is container going to route me to login page after say 90 secs. Does it happen automatically, if not, how do we determine if the session is really existing or not after 90 secs. I'm sorry for asking such naive questions, but I could not straighten this out.
 
David Newton
Author
Rancher
Posts: 12617
IntelliJ IDE Ruby
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The container doesn't, the JavaScript (preferably Ajax, otherwise yuck) does.
 
Doug Braidwood
Ranch Hand
Posts: 42
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Kumar, I think the first thing to do is get the session timeout working on the server.
For this you need to have the <login-config><auth-method> and the <session-config><session-timeout> elements setup in web.xml
When you have this setup you should find that the first time you request a secured page you need to login.
Then you see the page you wanted, and press f5 and it refreshes without you needing to re-enter authentication details.
Then if you wait at least the timeout interval (a minute) and press f5, now the session has timed out and you are requested for login details again.

This behaviour is fairly straightforward to setup in the container. Have you got this working?
 
Kumar Raja
Ranch Hand
Posts: 547
2
Hibernate Java Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Doug Braidwood wrote:Kumar, I think the first thing to do is get the session timeout working on the server.
For this you need to have the <login-config><auth-method> and the <session-config><session-timeout> elements setup in web.xml
When you have this setup you should find that the first time you request a secured page you need to login.
Then you see the page you wanted, and press f5 and it refreshes without you needing to re-enter authentication details.
Then if you wait at least the timeout interval (a minute) and press f5, now the session has timed out and you are requested for login details again.

This behaviour is fairly straightforward to setup in the container. Have you got this working?


Hi Doug,

I have not checked the thread for couple of days. I will give your suggestion, a try today and let you know, how it worked for me.

Thanks
 
Amit Savani
Greenhorn
Posts: 17
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Kumar Raja wrote:
HttpSession session=request.getSession();


Each time you request, above code executes which creates new session every time. So to track if it is timedout or not, you can use session listener mechanism as suggested by Doug Braidwood
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 65115
89
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Amit Savani wrote:
Kumar Raja wrote: HttpSession session=request.getSession();


Each time you request, above code executes which creates new session every time.

That is not correct. You do not create a new session each time you make the call to obtain it.
 
David Newton
Author
Rancher
Posts: 12617
IntelliJ IDE Ruby
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
That's weird--I replied with the same thing and a link to the docs, but I don't see it here. Hrm.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic