• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Session Timeout

 
Steve Dyke
Ranch Hand
Posts: 1706
1
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In am using WebSphere for my web application. I have written a session config in the web.xml.

However, the session never seems to time out.



I also have a filter that calls a class:



Here is my class:



It is very possible I am not understanding the time out process. I start the application, log on, then let the application set idle for over 5 minutes and the application is still accessible.

Will a javascript timer calling a servlet every three minutes make the application think it is active?
 
Dylon Stout
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Are you passing or accessing any session information with the servlet that you calling in your javascript?
 
Steve Dyke
Ranch Hand
Posts: 1706
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Dylon Stout wrote:Are you passing or accessing any session information with the servlet that you calling in your javascript?


Yes here is one example:



I am also experimenting with the setMaxInactiveInterval() but have not got it to work either.

In what servlet would I put this so it would be global? In the first servlet that is accessed?

Like I said I do not think I understand the overall function of the timeout event.
 
Dylon Stout
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If a request if made using the same originating session ID before the expiration interval elapses then the timer will be reset on your max inactive interval. (which i am guessing is happening with your javascript)

One thought would be to create a HttpSessionListener to monitor your sessions when they are created and when they are destroyed in order to help determine when exactly the session in question expires. You may want to consider not calling the servlet in a way that does not utilize any sesion properties if possible.

 
Dylon Stout
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Just for clarification, you does the servlet you are executing through javascript need session information to perform it's tasks?
 
Steve Dyke
Ranch Hand
Posts: 1706
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Again I have a basic question.

When a user click a link to call the application index.jsp file, is the session generated at that point for the life time of the application instance.

Or is a session created every time a servlet is accessed with in the application?
 
Steve Dyke
Ranch Hand
Posts: 1706
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Dylon Stout wrote:Just for clarification, you does the servlet you are executing through javascript need session information to perform it's tasks?


this is a snippet of my servlet it is called by a javascript(ajax):



Is there any way to use ajax call to a servlet that it not affect the timeout process of the application? In other words I only want user interaction to affect the timeout and not program interaction.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 65335
97
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Then you will not be able to rely upon the session timeout, and you will have to create your own timeout mechanism using filters and storing timing information in the session.
 
Steve Dyke
Ranch Hand
Posts: 1706
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bear Bibeault wrote:Then you will not be able to rely upon the session timeout, and you will have to create your own timeout mechanism using filters and storing timing information in the session.




So In the filter reset the session .setMaxInactiveInterval(30)  on every servlet except the servlet that refreshes the header message?
 
Steve Dyke
Ranch Hand
Posts: 1706
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bear Bibeault wrote:Then you will not be able to rely upon the session timeout, and you will have to create your own timeout mechanism using filters and storing timing information in the session.


I am having trouble.

If I make a request to a servlet, by the time the filter processes it won't the lastAccessedTime already be reset?

So no matter how long I wait to make the request the maxInactiveInterval will always be reset.

This is my doFilter code:

 
Dave Tolls
Ranch Hand
Posts: 2091
15
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes.
As Bear says, you can't rely on the session timeout for this, which means any of the standard session information as they are controlled by the server engine.

You need to roll your own and store the info in the session as an attribute.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 65335
97
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Exactly. Screwing around with the session timeout will not achieve what you are after. You need to keep track of last access times in your session and take appropriate action when whatever time limit you decide upon has been reached.

You either use the session as it is intended, or you roll your own. Them's the choices.
 
Steve Dyke
Ranch Hand
Posts: 1706
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Dave Tolls wrote:Yes.
As Bear says, you can't rely on the session timeout for this, which means any of the standard session information as they are controlled by the server engine.

You need to roll your own and store the info in the session as an attribute.


Can you or someone look at the code I posted and guide me where to set the last access time so it does not get refreshed within the filter.dofilter
 
Steve Dyke
Ranch Hand
Posts: 1706
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bear Bibeault wrote:You need to keep track of last access times in your session .


Can we take this a step at a time?

Referring to your quote here. Do I do this in my filter? And I would not use the session.getLastAccessedTime() but my own variable?
 
Steve Dyke
Ranch Hand
Posts: 1706
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bear Bibeault wrote:Exactly. Screwing around with the session timeout will not achieve what you are after. You need to keep track of last access times in your session and take appropriate action when whatever time limit you decide upon has been reached.

You either use the session as it is intended, or you roll your own. Them's the choices.


Tell me if I have this correct. I get the logon timestamp and add say 30 minutes to it. This becomes my limit. Then at the filter I check the access time and compare it to my limit and decide if invalidate is called?

One question is how could I may the limit dynamic so as long as there is activity, at least when certain servlets are accessed?
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 65335
97
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Steve Dyke wrote:Tell me if I have this correct. I get the logon timestamp and add say 30 minutes to it. This becomes my limit. Then at the filter I check the access time and compare it to my limit and decide if invalidate is called?

Sot of. You want to timeout after 30 minutes, but only for non-Ajax requests, right? (That's what I've gathered so far.)

So you set up a filter for all but Ajax requests (either use URL patterns to distinguish non-Ajax from Ajax request, or look at the headers to see if the request is Ajax or not). Every time a non-Ajax request comes through, keep track of timing by storing a timestamp in the session. See how much time has passed since the previous timestamp. Obviously, first time through, there is no previous timestamp, so skip this step in that case. If the duration between now and previous exceeds your limit (30 minutes), redirect to the login page to force re-authentication. Then update the timestamp to now.

It's pretty simple really. Note that at no time is the session invalidated. That's so 1998 that you should never even think along those lines.

One question is how could I may the limit dynamic so as long as there is activity, at least when certain servlets are accessed?

If you only want to track certain servlets, make sure that that they use a specific URL pattern that your filter can also be mapped to. That way, the filter only triggers for the servlets of interest.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic