You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Shiraz Wasim Zaidi <sw...@flash.net> on 2000/06/17 06:38:36 UTC

RE: Idle timeout Handling

Thanks for the reply Craig.

-Shiraz

> -----Original Message-----
> From: Craig R. McClanahan [mailto:Craig.McClanahan@eng.sun.com]
> Sent: Thursday, December 14, 2000 2:53 AM
> To: struts-user@jakarta.apache.org
> Subject: Re: Idle timeout Handling
>
>
>
>
> Shiraz Wasim Zaidi wrote:
>
> > Hi!,
> >
> > I have just started working with the struts framework and like it a lot.
> > I have a question about idletimeout handling. The only way i
> can handle it
> > now is to do an idle timeout check at the start of perform method of my
> > action classes.
> > I cannot rely on getSession(false) check as i wont get a null session in
> > case i have a
> > session scoped form asscoiated with the mapping. I can check for some
> > attribute say user
> > profile that i bind to the session in the Authenticating action class.
> >
>
> Even if the controller servlet calls getSession() for you (as it
> does when you
> have a session-scoped ActionForm bean), it is still quite easy to
> check for
> expired sessions.
>
> When you initially log a user on, store an object specific to
> that user in the
> session (the Struts example application stores an instance of the
> User class).
> Then, if a new session got created for you, this object will be
> missing -- so
> you can easily detect that this happened.
>
> If you want such a check on every single request sent to the
> controller servlet,
> you might consider subclassing the controller servlet and adding
> your own custom
> check at the appropriate point.
>
> > Is there someother way idle timeouts can be handled then doing
> it repeatedly
> > in almost every action class?
> >
>
> Don't forget to check in your JSP pages as well -- in case the
> user bookmarks a
> page and then returns to it directly, rather than through the controller
> servlet.
>
> The Struts example application includes an application-specific custom tag
> (<app:checkLogon>) that makes exactly this sort of a check.
>
> >
> > Appreciate any response.
> >
>
> A completely different approach is to use container-managed security, as
> described in the Servlet API Specification
> <http://java.sun.com/products/servlet/download.html>.  Here, you
> are relying on
> the servlet container to manage user logon, so that you do not
> have to check
> anything on a per-request basis.
>
> >
> > Thanks,
> > Shiraz
>
> Craig McClanahan
>
>
>