Session timeout handling

[sachin_yadav]

I am using spring security and i have a custom logout filter.

Code:

 public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
    
    UserSessionMap sessionMap = UserSessionMap.getInstance();
      String userId = authentication.getName();    
      sessionMap.invalidateUserSession(userId);
      notifyUserLogout(userId);
      sessionMap.printMap();    
}

Now the issue is i haven't set any timeout in web.xml and if i keep the screen logged in for some time around 2 hrs or so and click logout i got NULL POINTER EXCEPTION in

Code:

String userId = authentication.getName();

which i guess is due to automatic timeout authentication object becomes null and name couldn't be found. But in that case i will not be able to do DB clean up as required. Can someone please tell me how do i capture a timeout even and call the above method to do DB clean up.

[Marten Deinum]

There is always a session timeout, if there wouldn't be your servers would be cluttered with old session data causing serious issues in the end. The default for tomcat is 30 minutes I believe but it can differ from container to container.

You will need to create a HttpSessionListener and probably implement the sessionDestoyed method. That however does not give you the user etc. but if gives you the sessionId, so if you have some way of determing which sessionId is tied to which user you can still cleanup the data.

[sachin_yadav]

Hi Marten,

Thanks for your reply. I guess i have a singleton hashmap in the application where i am maintaining the user session for all the users who have logged in along with their userId, and even if i got the session Id it will work for me. Thanks again for your valuable suggestion.