This week's book giveaway is in the Kotlin forum.
We're giving away four copies of Kotlin for Android App Development and have Peter Sommerhoff on-line!
See this thread for details.
Win a copy of Kotlin for Android App Development this week in the Kotlin forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Devaka Cooray
  • Jeanne Boyarsky
  • Bear Bibeault
Sheriffs:
  • Junilu Lacar
  • Paul Clapham
  • Knute Snortum
Saloon Keepers:
  • Ron McLeod
  • Tim Moores
  • Stephan van Hulst
  • salvin francis
  • Carey Brown
Bartenders:
  • Tim Holloway
  • Frits Walraven
  • Ganesh Patekar

Is SessionId Active  RSS feed

 
Ranch Hand
Posts: 1923
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I want to check and see id a sessionID is active in my application.

When a user logs on to my app I store the sessionID in a data table.

I would like to be able to use that sessionID to see if it is still active or has been invalidated.
 
Sheriff
Posts: 24089
54
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm sorry, but when you say "I" would like to use the session ID, what exactly does that mean?
 
Bartender
Posts: 20353
111
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Don't even think about it.

I presume you mean the "jsessionid" cookie/URL extension. This is not meaningful data except to the webapp server. And it can and does change without notice. So just grabbing it and comparing won't tell you anything about whether or not there's a specific HttpSession behind it. The jsessionid is a random number created for appserver housekeeping only.

If you are using the J2EE Container security framework for logins - and you generally should you can detect when someone has logged in or out by looking at the getRemoteUser() method of the HttpServletRequest, which you can monitor in a servlet filter, although I can't think offhand of how you can tell who just logged out that way, since the remoteUser value will then be null. And, actually, if you're using single signon (SSO), the appearance of a remoteUser itself means little, since it will be inheriting a login that may have been done in a different app on a different server long before.

A Session Listener can tell when HttpSession objects are created and destroyed, although a webapp may create an HttpSession even though the corresponding user only logs on later, or maybe never.

If you combine all that, and you're not using SSO, you should be able to get a pretty good idea of who's logged in and by using the session listener. Note that when a session times out, it will be destroyed and that will also cause the session listener's "destroy" method to be called.
 
Steve Dyke
Ranch Hand
Posts: 1923
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Tim Holloway wrote:Don't even think about it.



Thanks I have been trying to rethink this whole thing.
 
Paul Clapham
Sheriff
Posts: 24089
54
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Steve Dyke wrote:Thanks I have been trying to rethink this whole thing.



The first thing to think about is, why would you want to know which sessions are active? There must be a purpose for which you want to use that information. Then, maybe that purpose can be fulfilled in a different way.
 
Steve Dyke
Ranch Hand
Posts: 1923
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Paul Clapham wrote:

Steve Dyke wrote:Thanks I have been trying to rethink this whole thing.



The first thing to think about is, why would you want to know which sessions are active? There must be a purpose for which you want to use that information. Then, maybe that purpose can be fulfilled in a different way.



My issue is that the Heap Size of my application(WebSphere) keeps maxing out. IBM did analysis and said the memory was overran with HTTP Sessions.
I thought that is I new the session ID of the sessions I could do an invalidate on that ID and kill that particular HTTP Session.

However, I have been working on my code to call an invalidate after specified user inactivity.

But I really do not know how to handle the application instance once the session gets invalidated. Do I push it back to the logon prompts?
But if I do anything it just creates a new HTTP Session.
 
Tim Holloway
Bartender
Posts: 20353
111
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
First you need to find out why all those sessions are alive at the same time. Do you have actually that many online users? If so, they may be legitimate and the only real choices are A) IBM (Install Bigger Memory), B) reduce the amount of session data being used by the offending application(s), C) Change the apps to minimize their use of an HttpSession environment (if you're using container security, that basically means making pages that don't really need the user to be logged in be unsecured - or Just In Time Login, if you prefer. D) Run a cluster. E) Convert to ReST (which is item B carried to its logical conclusion).

And F) Are these active users, or should you shorten the session timeout to drop people who left the site without logging off?

You might want to add Session Listeners to log the start and stop times (and thus durations) of the sessions, and at destroy time, look at how many/how big the collection of session-scope variables hanging onto it is.
 
Steve Dyke
Ranch Hand
Posts: 1923
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Tim Holloway wrote:First you need to find out why all those sessions are alive at the same time. Do you have actually that many online users? If so, they may be legitimate and the only real choices are A) IBM (Install Bigger Memory), B) reduce the amount of session data being used by the offending application(s), C) Change the apps to minimize their use of an HttpSession environment (if you're using container security, that basically means making pages that don't really need the user to be logged in be unsecured - or Just In Time Login, if you prefer. D) Run a cluster. E) Convert to ReST (which is item B carried to its logical conclusion).

And F) Are these active users, or should you shorten the session timeout to drop people who left the site without logging off?

You might want to add Session Listeners to log the start and stop times (and thus durations) of the sessions, and at destroy time, look at how many/how big the collection of session-scope variables hanging onto it is.



A couple of things I have done is increase the Heap Size to 7G. I am working on code to invalidate the session if idle for a specified time.
I am using Session Listener also.
So the invalidate fires either automatically(inactivity), when the user logs off(does not shut the application down), and when the page is actually closed.

However, when either of the first two fire do I just loop back to the initial application start up?
 
Tim Holloway
Bartender
Posts: 20353
111
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You don't need to add timeout logic. There's a session timeout clause that you can use to override the server's default timeout interval. Once no requests have been received from a user for longer than that period, the webapp server itself will automatically destroy the session (and thus log out the user, if J2EE security was used).

The server knows nothing about when the page is closed. Once a request has been made and response to the client has been received, the client completely disconnects from the server and does not re-connect until the next request is submitted to the server. The closest thing to "knowing" that a page is closed is if the page has a periodic refresh meta-tag or there's periodic AJAX "pinging" the server. Those both cause a request to be made to the server when they fire off.

If the server times out, the client will not be notified. No code runs on the server for a client except when an Http request from that client is actively being processed. Once the request is processed and the response sent to the client, the thread that ran the request processor is returned to the global request thread pool.

Webapps are not programs. They do not have single entry points or continuous processes(*), just handlers for different URLs. Which is one reason why so many webapps with do-it-yourself logins are so easily hacked - you can often simply skip right past the login page.

Personally, I prefer not to meddle with the client's URL just because they're logged out. If the server re-directs a URL, it makes it hard to "bookmark" internal pages. The standard security system can deal with that just fine, because if the bookmarked page requires authorization, the server will force them to log in, but then proceed directly to the bookmarked page. But it's not uncommon for people to design apps that force un-authenticated users to a "home" page. You can do this easily with a HTTP listener with container standard security by simply re-directing the request to the home page if the getRemoteUser() returns null.

===
* Except under certain limited conditions, and these processes never connect to the client.
 
I want my playground back. Here, I'll give you this tiny ad for it:
Programmatically Create PDF Using Free Spire.PDF with Java
https://coderanch.com/wiki/703735/Programmatically-Create-PDF-Free-Spire
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!