Refresh (redirect) to login page on session expiry

Hi,
I have spent the best part of 2 months trying to find a solution to the problem in the thread title. While this may seem like a FAQ type problem given the number of results from a Google search, I am fully read up how this can be achieved via storing and checking for a "token" on the sesssion.

While that does the job, it requires user interaction (i.e. a page request post an expired session). The functionality I would like to achieve is the hypothetical scenario where somene logs in to the webapp and then say walks away from their computer. On the session being expired, the page is refreshed (redirected) to the login page. I have managed to achieve a similar functionality via Javascript and a modal dialog but would like to cater for the occassion where the user has JS turned off.

I have seen this functionality in action both with JS on and off. Said application was an ASPX application. I was very excited by the fact that it is possible to use HttpSessionListener to listen for session destruction, even more so when the notification happens prior to session invalidation but in the absence of any HttpServletResponse object how on Earth do I refresh (redirect) to the login page.

Perhaps this is impossible to do with Java and if so, please put me out of my misery as I have had many an all-nighter trying to get around this problem.

P.S. edited due to accidental pressing of Enter before full post text typed.

It looks like you didn't quite finish typing out your requirements.

However I hope that you didn't mean that you wanted to redirect the user to the login page even if they never sent a request to your server? You can only redirect requests, and it looks like you have already figured out how to deal with a request which arrives when there is no active session.

I am not very sure whether i have understood your problem, but suggesting the solution for whatever i have understood.
Have a zero size(invisible) iframe in your page having some content with auto refresh at say every 15 seconds or so.
On server have a filter for the URL patterns used by your app which will redirect to login page if the session is expired (make sure you keep the requested URL to serve after login). By doing this you will be redirected to login page whenever there is a request having no/invalid/expired session. Have a field in your session to keep last requested time, Upon every request, have a check whether the difference between last requested time & current time is greater than session expiration time, if yes, invalidate the session & redirect to login page. If not, then update the last requested time by current time in session for requests which are not made by iframe.

if the request is made by iframe & the session is no more valid, then render a script which will be executed right after being loaded, & which will reload the _top page (or you can have redirection to login page right from here).

Please confirm if this answers, or help me understand your question if i haven't.

Anurag Verma wrote:I am not very sure whether i have understood your problem, but suggesting the solution for whatever i have understood.
Have a zero size(invisible) iframe in your page having some content with auto refresh at say every 15 seconds or so.
On server have a filter for the URL patterns used by your app which will redirect to login page if the session is expired (make sure you keep the requested URL to serve after login). By doing this you will be redirected to login page whenever there is a request having no/invalid/expired session. Have a field in your session to keep last requested time, Upon every request, have a check whether the difference between last requested time & current time is greater than session expiration time, if yes, invalidate the session & redirect to login page. If not, then update the last requested time by current time in session for requests which are not made by iframe.

if the request is made by iframe & the session is no more valid, then render a script which will be executed right after being loaded, & which will reload the _top page (or you can have redirection to login page right from here).
Please confirm if this answers, or help me understand your question if i haven't.

Hi Anurag, The requirement is to achieve this with javascript disabled. See

I have managed to achieve a similar functionality via Javascript and a modal dialog but would like to cater for the occassion where the user has JS turned off.

Anurag Verma wrote:I am not very sure whether i have understood your problem, but suggesting the solution for whatever i have understood.
Have a zero size(invisible) iframe in your page having some content with auto refresh at say every 15 seconds or so.
On server have a filter for the URL patterns used by your app which will redirect to login page if the session is expired (make sure you keep the requested URL to serve after login). By doing this you will be redirected to login page whenever there is a request having no/invalid/expired session. Have a field in your session to keep last requested time, Upon every request, have a check whether the difference between last requested time & current time is greater than session expiration time, if yes, invalidate the session & redirect to login page. If not, then update the last requested time by current time in session for requests which are not made by iframe.

if the request is made by iframe & the session is no more valid, then render a script which will be executed right after being loaded, & which will reload the _top page (or you can have redirection to login page right from here).

Please confirm if this answers, or help me understand your question if i haven't.

Unfortunately, I am rather confused at what you are suggesing (having spent another all nighter perhaps my faculties are impaired due to tiredness). Unless I am suffering from a serious lack of sleep and am missing the completely obvious would not a continually auto-refreshing page also lead to continuous session's getLastAccessedTime being updated - meaning the session would never time out.

Piyush Mangal wrote:

Anurag Verma wrote:...

Hi Anurag, The requirement is to achieve this with javascript disabled. See

I have managed to achieve a similar functionality via Javascript and a modal dialog but would like to cater for the occassion where the user has JS turned off.

This is exactly the situation I need to cater for as I can already achive this with JavaScript, but having seen an application in action (online banking) which refreshes the page on timeout even when JS is turned off, I would very much like to hold on to the (possibly unachievable) dream of implementing the same. Or should I just blacklist users who have JS turned off and enforce JS to be on.

As I mentioned previously, that application is using ASPX technology so perhaps it just isn't possible with servlets which is why I mentioned the part about putting me out of my misery although I would prefer not to give up until people of authority have spoken on the matter.

Hi Faisal, the session thing is already taken care of in -

If not, then update the last requested time by current time in session for requests which are not made by iframe.

& sorry about not getting your question properly earlier.