View Full Version : Handling HTTP Session timeout
Aug 27th, 2004, 04:22 PM
Do I need to write my own interceptor for HTTP session time out? How do I detect it transparently rather than in each controller and give the user a message that their session has time out?
Aug 27th, 2004, 04:40 PM
Is WebContentInterceptor getting used by the framework? I still would like to know how to let the user know that the session was timedout by giving a message.
Aug 27th, 2004, 04:43 PM
Take a look at the following class in J2EE:
It's in at least J2EE 1.3, maybe earlier. The container will notify you when the session expires. (Or well, at least when it unbinds the values) This can be significantly longer than your defined session timeout. Depends on how your container handles it. There might be better ways, but that's how we're currently handling it.
Sep 5th, 2004, 11:58 AM
Maybe you could use a Filter that stores a value in the Session object upon first request and then systematically verifies with each subsequent request if the value still exists within the user's session object. If the session timed out, the Filter will not find the value in the user's session object, and can then decide to redirect the user to a page with "a session timed out" message.
Sep 5th, 2004, 09:21 PM
That would not work since users are allowed to use the site without authenticating. Acegi already stores an object in the session, but if the user is authenticated and then the session timesout, I need to detect this, therefore I just can't check for a session object since they would get this message when using the site un-authenticated.
BTW - Since HTTP is stateless, how do you know which is the first request?
Sep 5th, 2004, 09:36 PM
Instead of placing a special key in the session you could send a cookie to the user that stores the current session id and has a timeout that is some arbitrary length longer than the session timeout.
Then on each request you check to see if the session id you stored in the cookie matches the current session id. If not, then you can be sure that the session has timed out.
However what makes more sense in most web apps to define the set of pages that *must* have an established session and to place a filter around them that makes sure that this session exists.
Sep 5th, 2004, 11:42 PM
But isn't the issue with Spring is that it always creates a session, therefore a session always exists? I think you point about the cookie makes sense, but since I am now depending on the user's browser settings, I must handle if they will accept this cookie also.[/quote]
Sep 6th, 2004, 12:13 AM
since I am now depending on the user's browser settings, I must handle if they will accept this cookie also
Sorry I assumed that as you were using sessions you were also using cookies. Most people don't implement URL rewriting.
Anyway that's one of the resons why I suggested that my second option is a better choice
Sep 6th, 2004, 12:30 AM
hmm.... interesting point, how does Spring handle if the user will now accept the session cookie? does the framework switch to URL re-writing with the JSESSIONID as a request parameter? hence my earlier question about the useage of the WebContentInterceptor.
Sep 6th, 2004, 01:20 AM
does the framework switch to URL re-writing with the JSESSIONID as a request parameter? hence my earlier question about the useage of the WebContentInterceptor.
It should make no difference to Spring whether sessions are cookie or URL based and there is no standard way to enable or disable URL re-writing.
If you want to use URL re-writing then it is your responsibility to make sure that *every* link in you site is passed through a processor that will re-write it. Have a look at this link for a short description of what you need to do http://www-306.ibm.com/software/webservers/appserv/doc/v40/ae/infocenter/was/040401010102.html
Powered by vBulletin® Version 4.2.1 Copyright © 2013 vBulletin Solutions, Inc. All rights reserved.