I want to make an ajax call after receive 10 seconds to see the session status on a page , But as i know on every call to server session will be refreshed and again tome out will be reset , What is the best policy to find remaining session's time without resetting it through ajax.
Is there any way to exclude a URL which should not reset session, And this url just responsible to get session information through ajax?
Mohamed Sanaulla wrote:Its better to avoid using Sessions as they can be a cause for a lot of bugs and does not scale.
I disagree with both these points. Anything can be cause for bugs, there's nothing inherent in sessions that makes them especially bug-prone. That sessions don't scale is a myth from 15 years ago, when they were new, and people put many MBs of data in them per user, because they didn't understand that point. Used responsibly, sessions are quite useful and there's no reason to avoid them in general.
And the original poster seems to be trying to get information about the session, not information they have stored in the session, since the session exists whatever it's not really going to be an issue.
Not too sure what data exactly is to be retrieved, though? Just whether the session is active?
In which case, yes, I expect that's not possible as you are keeping the session alive by making the request.
You cannot keep track of the state of the session timeout via requests because, as you've noted, making such a request changes what you are trying to observe (see observer effect).
Rather, I see that you have three choices:
Don't use the actual session timeout, but rather, use the session to keep track of an artifical "security" timeout. See below.
Decide it's not worth it and give it up as not important enough to spend a bunch of time on.
I highly recommend that latter unless it's a really important feature.
Regarding the "security timeout" approach: in a bank application I once worked on, I needed to set things up such that:
If the user was idle for 15 minutes, to force them to log in again.
After login, to make sure that no state was lost. Inlcuding any form that they were in the middle of filling in.
Use the traditional method of letting a session expire wouldn't cut it. So here's what I did:
Set things up so that the session never actually expired.
Used a servlet filter on almost every request (leaving out things like login) that recorded when the request was made, and computed how long since the last request.
If longer than 15 minutes, pop up a login box.
Because the session never actually expired, all state could be kept in the session without the need to try and recreate it after a "timeout". And use of Ajax prevented pages from refreshing unless I wanted them to.
You could easily set something up similar, and set up the call to find out how much time is left to not reset the "timer".
But again, ditching the feature unless it's really important is easier.