You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jerry Malcolm <te...@malcolms.com> on 2015/12/01 18:30:17 UTC
Detecting Expired Session via JavaScript?
I'm looking for a way to detect that the current session has expired (or
logged out via another tab on the browser). I know I could just issue
dummy requests to the server and see if a login page comes back. But
issuing requests automatically resets the session timer. I need a benign
way to query that doesn't keep the session alive forever.
I'm sure this problem has been solved before. But basically, I want to
know that the session is no longer valid and force the user back to the
login page. I know one possibility is to set the Tomcat timer to 30 min
expiration, and then keep a '29 minute' timer running in the browser.
But my clients can change the tomcat session timer length. And also
this doesn't account for a logoff using the same session on a different
browser tab. I'd really like a pro-active query method if anything like
that exists.
Suggestion?
Thanks.
Jerry
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Detecting Expired Session via JavaScript?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Jerry,
On 12/1/15 3:11 PM, Jerry Malcolm wrote:
> On 12/1/2015 1:28 PM, Christopher Schultz wrote:
>> Jerry,
>>
>> On 12/1/15 12:30 PM, Jerry Malcolm wrote:
>>> I'm looking for a way to detect that the current session has expired (or
>>> logged out via another tab on the browser). I know I could just issue
>>> dummy requests to the server and see if a login page comes back. But
>>> issuing requests automatically resets the session timer. I need a benign
>>> way to query that doesn't keep the session alive forever.
>>>
>>> I'm sure this problem has been solved before. But basically, I want to
>>> know that the session is no longer valid and force the user back to the
>>> login page. I know one possibility is to set the Tomcat timer to 30 min
>>> expiration, and then keep a '29 minute' timer running in the browser.
>>> But my clients can change the tomcat session timer length.
>> When you generate your HTML page, toss the
>> HttpSession.getMaxInactiveInterval into the page somewhere, then wait
>> that number of minutes. Don't hard-code 29 minutes (though 31 would have
>> been a better time to wait if you didn't want to automatically-extend
>> the session).
>>
>>> And also this doesn't account for a logoff using the same session on
>>> a different browser tab. I'd really like a pro-active query method
>>> if anything like that exists.
>> Try something like this:
>>
>> - Set -Dorg.apache.catalina.core. StandardHostValve.ACCESS_SESSION=false
>> (false is the default if org.apache.catalina.STRICT_SERVLET_COMPLIANCE
>> is not set to "true")
>
> Does this go in service.bat? Separate line?
I would put it into CATALINA_HOME/bin/setenv.bat rather than anywhere
else. That is, if you actually do launch Tomcat from the command-line.
Most Windows users run Tomcat from the service snap-in, which means
you'll have to re-configure that using tomcatNw.exe (where N is your
Tomcat version -- you didn't say what you were running) and editing the
system properties that will be set on JVM launch.
>> - Write a quick page like this:
>>
>> session-check.jsp:
>> <?jsp session="false" contentType="application/json" ?>
>> { "valid" : <%= request.isRequestedSessionIdValid() %> }
>>
>> Then you can request this page to see the value of "valid".
>>
>> I wasn't able to tell if the isRequestedSessionIdValid method is
>> supposed to "touch" the session's last-update-timestamp. I read some
>> code in Tomcat and didn't find a "touch" but that doesn't mean it
>> couldn't change. I didn't see anything in the spec that specifically
>> said that method doesn't "touch" the session.
>
> This makes sense as long as it truly does not keep the session alive.
Right. I can't prove it will work, but it's quite easy to try it. You
could even temporarily set your session timeout to 5 minutes to make the
test go faster.
> Just to be sure I understand things, if I first access an unprotected
> file requiring no login, I'll have a valid session.
That's not necessarily true.
> But I'll still get the login page if later I access a protected file
> in that same session, correct?
Session doesn't always mean login, but the servlet spec indicates that,
once authenticated using FORM authentication (specifically), that the
termination of the HttpSession is synonymous with being logged-out. If
you then try to access a protected page, you'll get the login page.
But the converse is not true: merely having an HttpSession available
does not mean that you have been authenticated.
> Not a big deal. I'll just have to only use this on pages that
> assure a login has occurred. Also, I assume I should put the
> session-check.jsp in an unprotected folder, otherwise I'll get a login
> challenge before I even can get to the session-check, right?
Note that the JSP I provided won't tell you if the user is logged-in; it
will only tell you if the session is valid.
If you want to know both, you can do that:
session-check.jsp:
<?jsp session="false" contentType="application/json" ?>
{
"valid" : <%= request.isRequestedSessionIdValid() %>,
"authenticated": <%= request.isRequestedSessionIdValid() ? null !=
request.getUserPrincipal() : "false" %>
}
(Note that I predicate the request.getUserPrincipal call because I'm
fairly sure that will trigger a session touch. The idea is to avoid
prolonging an /authenticated/ session, but you don't care how long an
unauthenticated session persists, right?
There are other, uglier and less-portable ways to do this, but if you
can stick within the spec-defined APIs you'll be better off.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Detecting Expired Session via JavaScript?
Posted by Jerry Malcolm <te...@malcolms.com>.
Chris,
On 12/1/2015 1:28 PM, Christopher Schultz wrote:
> Jerry,
>
> On 12/1/15 12:30 PM, Jerry Malcolm wrote:
>> I'm looking for a way to detect that the current session has expired (or
>> logged out via another tab on the browser). I know I could just issue
>> dummy requests to the server and see if a login page comes back. But
>> issuing requests automatically resets the session timer. I need a benign
>> way to query that doesn't keep the session alive forever.
>>
>> I'm sure this problem has been solved before. But basically, I want to
>> know that the session is no longer valid and force the user back to the
>> login page. I know one possibility is to set the Tomcat timer to 30 min
>> expiration, and then keep a '29 minute' timer running in the browser.
>> But my clients can change the tomcat session timer length.
> When you generate your HTML page, toss the
> HttpSession.getMaxInactiveInterval into the page somewhere, then wait
> that number of minutes. Don't hard-code 29 minutes (though 31 would have
> been a better time to wait if you didn't want to automatically-extend
> the session).
>
>> And also this doesn't account for a logoff using the same session on
>> a different browser tab. I'd really like a pro-active query method
>> if anything like that exists.
> Try something like this:
>
> - Set -Dorg.apache.catalina.core. StandardHostValve.ACCESS_SESSION=false
> (false is the default if org.apache.catalina.STRICT_SERVLET_COMPLIANCE
> is not set to "true")
Does this go in service.bat? Separate line?
>
> - Write a quick page like this:
>
> session-check.jsp:
> <?jsp session="false" contentType="application/json" ?>
> { "valid" : <%= request.isRequestedSessionIdValid() %> }
>
> Then you can request this page to see the value of "valid".
>
> I wasn't able to tell if the isRequestedSessionIdValid method is
> supposed to "touch" the session's last-update-timestamp. I read some
> code in Tomcat and didn't find a "touch" but that doesn't mean it
> couldn't change. I didn't see anything in the spec that specifically
> said that method doesn't "touch" the session.
This makes sense as long as it truly does not keep the session alive.
Just to be sure I understand things, if I first access an unprotected
file requiring no login, I'll have a valid session. But I'll still get
the login page if later I access a protected file in that same session,
correct? Not a big deal. I'll just have to only use this on pages that
assure a login has occurred. Also, I assume I should put the
session-check.jsp in an unprotected folder, otherwise I'll get a login
challenge before I even can get to the session-check, right?
Thanks.
Jerry
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Detecting Expired Session via JavaScript?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Jerry,
On 12/1/15 12:30 PM, Jerry Malcolm wrote:
> I'm looking for a way to detect that the current session has expired (or
> logged out via another tab on the browser). I know I could just issue
> dummy requests to the server and see if a login page comes back. But
> issuing requests automatically resets the session timer. I need a benign
> way to query that doesn't keep the session alive forever.
>
> I'm sure this problem has been solved before. But basically, I want to
> know that the session is no longer valid and force the user back to the
> login page. I know one possibility is to set the Tomcat timer to 30 min
> expiration, and then keep a '29 minute' timer running in the browser.
> But my clients can change the tomcat session timer length.
When you generate your HTML page, toss the
HttpSession.getMaxInactiveInterval into the page somewhere, then wait
that number of minutes. Don't hard-code 29 minutes (though 31 would have
been a better time to wait if you didn't want to automatically-extend
the session).
> And also this doesn't account for a logoff using the same session on
> a different browser tab. I'd really like a pro-active query method
> if anything like that exists.
Try something like this:
- Set -Dorg.apache.catalina.core. StandardHostValve.ACCESS_SESSION=false
(false is the default if org.apache.catalina.STRICT_SERVLET_COMPLIANCE
is not set to "true")
- Write a quick page like this:
session-check.jsp:
<?jsp session="false" contentType="application/json" ?>
{ "valid" : <%= request.isRequestedSessionIdValid() %> }
Then you can request this page to see the value of "valid".
I wasn't able to tell if the isRequestedSessionIdValid method is
supposed to "touch" the session's last-update-timestamp. I read some
code in Tomcat and didn't find a "touch" but that doesn't mean it
couldn't change. I didn't see anything in the spec that specifically
said that method doesn't "touch" the session.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Detecting Expired Session via JavaScript?
Posted by Jose María Zaragoza <de...@gmail.com>.
2015-12-01 19:17 GMT+01:00 Jose María Zaragoza <de...@gmail.com>:
> 2015-12-01 18:30 GMT+01:00 Jerry Malcolm <te...@malcolms.com>:
>> I'm looking for a way to detect that the current session has expired (or
>> logged out via another tab on the browser). I know I could just issue dummy
>> requests to the server and see if a login page comes back. But issuing
>> requests automatically resets the session timer.
>
> Only if the request goes to the same application.
> You can create a HttpSessionListener who saves some info on a shared
> store when session is expired.
> Anothe REST service could check the status of the session when is
> requested by your page
Other option is to use Comet long polling ( requires servlet 3.x )
with an only one event sent by server to browser :session expired
When browser receives it, stop polling until user is logged in again
Or websockets ...
>
> You only need to think the way to map Tomcat session with REST
> requests ( a random string created on load page and store it in a
> local javascript variable and sent to server when logging in ? I don't
> know )
>
>
>
>
> I need a benign way to
>> query that doesn't keep the session alive forever.
>>
>> I'm sure this problem has been solved before. But basically, I want to know
>> that the session is no longer valid and force the user back to the login
>> page. I know one possibility is to set the Tomcat timer to 30 min
>> expiration, and then keep a '29 minute' timer running in the browser. But
>> my clients can change the tomcat session timer length. And also this
>> doesn't account for a logoff using the same session on a different browser
>> tab. I'd really like a pro-active query method if anything like that
>> exists.
>>
>> Suggestion?
>>
>> Thanks.
>>
>> Jerry
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Detecting Expired Session via JavaScript?
Posted by "André Warnier (tomcat)" <aw...@ice-sa.com>.
On 02.12.2015 16:55, Christopher Schultz wrote:
> Jerry,
>
> On 12/1/15 2:39 PM, Jerry Malcolm wrote:
>> On 12/1/2015 12:17 PM, Jose María Zaragoza wrote:
>>>
>>> ts automatically resets the session timer.
>>> Only if the request goes to the same application.
>>> You can create a HttpSessionListener who saves some info on a shared
>>> store when session is expired.
>>> Anothe REST service could check the status of the session when is
>>> requested by your page
>> Jose,
>>
>> I understand the listener and storing the state in common storage. But
>> I'm confused on your statement above about the same application. I have
>> several web apps running on the same host instance. They all share a
>> common login using SingleSignOn.
>
> Each application has a distinct HttpSession object. The SingleSignOn
> cookie allows each application to re-authenticate using the SSO
> information, so you get a new HttpSession if your old one times out.
>
>> If I hit any of the apps it resets the timer.
>
> I don't think hitting app A will reset the session timeout of app B's
> session. (Or maybe it does, but I didn't think that's how SSO worked in
> Tomcat. Unfortunately, the SSO documentation[1] doesn't actually say
> exactly how all this works.)
>
>> Do they all have separate sessions but share a common login state?
>
> Yes.
>
>> What is the relationship between "logged in" and separate webapp
>> sessions that come and go independently. What I really care about is
>> whether the authenticator is going to bounce the request to a login page
>> or not. It still seems like calling any app is going to reset the
>> logged-in timer if I'm using single sign-on (?).
>
> The authenticator is not going to sent you to a login page for any
> application unless either of these events occurs:
>
> (a) You explicitly log-out from one of the applications. This will
> terminate the SSO cookie and revoke your logins on all associated
> applications.
>
> (b) Your SSO cookie (or server-based info) expires. Then you will be
> asked to authenticate again.
>
> If you are using SSO, this adds a bit of mystery to the situation, since
> what you really want to find out is whether the /SSO token/ is still
> valid. The validity of any of the various individual-application session
> identifiers is irrelevant, since if the SSO token is valid, you will be
> automatically re-authenticated to the individual applications.
>
> I think you may have to re-think how you detect the expiration of your
> users' logins.
>
Hi.
I am sorry to barge in this discussion, which I have been loosely following over several
days, but I have to say that at least based on the documentation at
http://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Single_Sign_On_Valve
and
http://tomcat.apache.org/tomcat-8.0-doc/config/host.html#Single_Sign_On
, I still do not understand what the problem is, that Jerry is trying to solve.
In his original post, Jerry said
"But basically, I want to know that the session is no longer valid and force the user back
to the login page."
And he later mentioned that he was using the SSO Valve, and container-based Form
authentication for the webapps.
But as far as I understand, that is the way in which this works :
- as soon as the user (initially) accesses any of the protected applications, he/she gets
a login page and has to login. Thereafter, he/she gets access to the requested
application, which creates an "application session", in which the logged-in state is recorded.
- because of the SSO Valve, some information is also stored separately, regarding the user
authentication
- now if the user accesses another protected application, the container - which would
normally send back a login form - notices that there is stored SSO authentication
information, and automatically authenticates the user for this second application.
Which also creates a separate "application session" stored on the server.
- and so on...
- at some point in the future, any one of these stored application sessions becomes
invalid (either by something actively invalidating the session, or by a session timeout).
At this point - if I believe the documentation - the container immediately invalidates all
the other application sessions and whatever SSO authentication had been saved, so that if
the user subsequently accesses any other (or the same) application, they get a login page
again.
And is that not precisely what Jerry wanted to achieve in the first place ?
Or am I missing/misunderstanding something ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Detecting Expired Session via JavaScript?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Jerry,
On 12/1/15 2:39 PM, Jerry Malcolm wrote:
> On 12/1/2015 12:17 PM, Jose María Zaragoza wrote:
>>
>> ts automatically resets the session timer.
>> Only if the request goes to the same application.
>> You can create a HttpSessionListener who saves some info on a shared
>> store when session is expired.
>> Anothe REST service could check the status of the session when is
>> requested by your page
> Jose,
>
> I understand the listener and storing the state in common storage. But
> I'm confused on your statement above about the same application. I have
> several web apps running on the same host instance. They all share a
> common login using SingleSignOn.
Each application has a distinct HttpSession object. The SingleSignOn
cookie allows each application to re-authenticate using the SSO
information, so you get a new HttpSession if your old one times out.
> If I hit any of the apps it resets the timer.
I don't think hitting app A will reset the session timeout of app B's
session. (Or maybe it does, but I didn't think that's how SSO worked in
Tomcat. Unfortunately, the SSO documentation[1] doesn't actually say
exactly how all this works.)
> Do they all have separate sessions but share a common login state?
Yes.
> What is the relationship between "logged in" and separate webapp
> sessions that come and go independently. What I really care about is
> whether the authenticator is going to bounce the request to a login page
> or not. It still seems like calling any app is going to reset the
> logged-in timer if I'm using single sign-on (?).
The authenticator is not going to sent you to a login page for any
application unless either of these events occurs:
(a) You explicitly log-out from one of the applications. This will
terminate the SSO cookie and revoke your logins on all associated
applications.
(b) Your SSO cookie (or server-based info) expires. Then you will be
asked to authenticate again.
If you are using SSO, this adds a bit of mystery to the situation, since
what you really want to find out is whether the /SSO token/ is still
valid. The validity of any of the various individual-application session
identifiers is irrelevant, since if the SSO token is valid, you will be
automatically re-authenticated to the individual applications.
I think you may have to re-think how you detect the expiration of your
users' logins.
-chris
[1] http://tomcat.apache.org/tomcat-8.0-doc/config/host.html#Single_Sign_On
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Detecting Expired Session via JavaScript?
Posted by Jerry Malcolm <te...@malcolms.com>.
On 12/1/2015 12:17 PM, Jose María Zaragoza wrote:
>
> ts automatically resets the session timer.
> Only if the request goes to the same application.
> You can create a HttpSessionListener who saves some info on a shared
> store when session is expired.
> Anothe REST service could check the status of the session when is
> requested by your page
Jose,
I understand the listener and storing the state in common storage. But
I'm confused on your statement above about the same application. I have
several web apps running on the same host instance. They all share a
common login using SingleSignOn. If I hit any of the apps it resets the
timer. Do they all have separate sessions but share a common login
state? What is the relationship between "logged in" and separate webapp
sessions that come and go independently. What I really care about is
whether the authenticator is going to bounce the request to a login page
or not. It still seems like calling any app is going to reset the
logged-in timer if I'm using single sign-on (?).
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Detecting Expired Session via JavaScript?
Posted by Jose María Zaragoza <de...@gmail.com>.
2015-12-01 18:30 GMT+01:00 Jerry Malcolm <te...@malcolms.com>:
> I'm looking for a way to detect that the current session has expired (or
> logged out via another tab on the browser). I know I could just issue dummy
> requests to the server and see if a login page comes back. But issuing
> requests automatically resets the session timer.
Only if the request goes to the same application.
You can create a HttpSessionListener who saves some info on a shared
store when session is expired.
Anothe REST service could check the status of the session when is
requested by your page
You only need to think the way to map Tomcat session with REST
requests ( a random string created on load page and store it in a
local javascript variable and sent to server when logging in ? I don't
know )
I need a benign way to
> query that doesn't keep the session alive forever.
>
> I'm sure this problem has been solved before. But basically, I want to know
> that the session is no longer valid and force the user back to the login
> page. I know one possibility is to set the Tomcat timer to 30 min
> expiration, and then keep a '29 minute' timer running in the browser. But
> my clients can change the tomcat session timer length. And also this
> doesn't account for a logoff using the same session on a different browser
> tab. I'd really like a pro-active query method if anything like that
> exists.
>
> Suggestion?
>
> Thanks.
>
> Jerry
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Detecting Expired Session via JavaScript?
Posted by "André Warnier (tomcat)" <aw...@ice-sa.com>.
On 01.12.2015 18:30, Jerry Malcolm wrote:
> I'm looking for a way to detect that the current session has expired (or logged out via
> another tab on the browser). I know I could just issue dummy requests to the server and
> see if a login page comes back. But issuing requests automatically resets the session
> timer. I need a benign way to query that doesn't keep the session alive forever.
>
> I'm sure this problem has been solved before. But basically, I want to know that the
> session is no longer valid and force the user back to the login page.
Isn't that what the standard authentication code does ? (or could do ?)
I know one
> possibility is to set the Tomcat timer to 30 min expiration, and then keep a '29 minute'
> timer running in the browser. But my clients can change the tomcat session timer length.
> And also this doesn't account for a logoff using the same session on a different browser
> tab. I'd really like a pro-active query method if anything like that exists.
>
> Suggestion?
>
> Thanks.
>
> Jerry
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Detecting Expired Session via JavaScript?
Posted by "Terence M. Bandoian" <te...@tmbsw.com>.
On 12/1/2015 11:30 AM, Jerry Malcolm wrote:
> I'm looking for a way to detect that the current session has expired
> (or logged out via another tab on the browser). I know I could just
> issue dummy requests to the server and see if a login page comes
> back. But issuing requests automatically resets the session timer. I
> need a benign way to query that doesn't keep the session alive forever.
>
> I'm sure this problem has been solved before. But basically, I want
> to know that the session is no longer valid and force the user back to
> the login page. I know one possibility is to set the Tomcat timer to
> 30 min expiration, and then keep a '29 minute' timer running in the
> browser. But my clients can change the tomcat session timer length.
> And also this doesn't account for a logoff using the same session on a
> different browser tab. I'd really like a pro-active query method if
> anything like that exists.
>
> Suggestion?
>
> Thanks.
>
> Jerry
>
One problem with checking the session status from the browser is time.
A response may be received from the server that indicates the session
has not expired BUT, the session may then expire before the next message
is sent.
-Terence Bandoian
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org