Session expiry

[Mike Quilleash <mi...@subexazure.com>]

Hi there,
 
Does anyone know if there's a method for determining if the Session for
a user has expired since the last request?  Basically I have a Filter
that does an "is logged in" check and redirects to a login page if the
user is not logged in.  This works fine but in the case of Session
expiry I would like to redirect the user to the login page (works fine
as the login object is stored in HttpSession) AND display a message
informing them that their session expired due to inactivity.  Is there
any way of telling the difference between the "not logged in yet" and
"was logged in but expired since last request" situations on the server.
 
Appreciate any suggestions.
 
Mike.
 

 This e-mail is bound by the terms and conditions described at http://www.subexazure.com/mail-disclaimer.html

Re: Session expiry

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mike,

Mike Quilleash wrote:
> Does anyone know if there's a method for determining if the Session for
> a user has expired since the last request?

When a request comes in from a user who /did/ have a session, it should
include a session identifier. If the session is timed out, then you'll
forward to the login page, and you will have a session created for you
already (assuming that you are using either container-managed sessions,
or a session management strategy that mirrors the container-managed
variety).

You can use this to your advantage by checking the result from calling
request.getRequestedSessionId versus session.getId. If they are
different, then a new session has been created in response to a request
for a dead session.

This is not entirely foolproof, since generally session cookies are
designed to live for as long as the browser is running (the browser's
"session"), and so your user may:

1. login
2. do some stuff
3. leave without logging out
4. comes back the next day to your front page (or login page)

In this case, their browser may send the old cookie and it looks like
they are trying to resume their expired session (as above), but they're
really coming in "fresh".

Hope that helps,
- -chris

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF/9eG9CaO5/Lv0PARArypAKCQ8DiWM6IT1W2t7bjhAc6fZg7mOgCeN1dA
5mOlrwChuMqvAnm26cCCD8Q=
=6B5J
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Session expiry

[Mikolaj Rydzewski <mi...@ceti.pl>]

Mike Quilleash wrote:
> I can tell from this when the session expires but then I want to notify
> the user that was using that session next time they make a request.
>   
Maybe HttpSession.isNew()?


-- 
Mikolaj Rydzewski <mi...@ceti.pl>

RE: Session expiry

[Mike Quilleash <mi...@subexazure.com>]

Thanks for the reply.

I can tell from this when the session expires but then I want to notify
the user that was using that session next time they make a request.
Rough sequence of events.

1. User browses to secure page.  Filter intercepts, sees the Session
does not contain the "login" object and redirects to login page.
2. User logs in, login object inserted into Session.
3. User works for a while in the web application.
4. User wanders off and has lunch.  Session expires after a while.
5. User returns from lunch, clicks something and is redirected to the
login page.

At this point I would also like to display at the top of the login page
"Your session expired due to inactivity, please log in again".

Hope that clarifies.

Cheers.

Mike.

-----Original Message-----
From: Mikolaj Rydzewski [mailto:miki@ceti.pl] 
Sent: 20 March 2007 08:43
To: Tomcat Users List
Subject: Re: Session expiry

Mike Quilleash wrote:
> Does anyone know if there's a method for determining if the Session 
> for a user has expired since the last request?  Basically I have a 
> Filter that does an "is logged in" check and redirects to a login page

> if the user is not logged in.  This works fine but in the case of 
> Session expiry I would like to redirect the user to the login page 
> (works fine as the login object is stored in HttpSession) AND display 
> a message informing them that their session expired due to inactivity.

> Is there any way of telling the difference between the "not logged in 
> yet" and "was logged in but expired since last request" situations on
the server.
>   

HttpSessionListener: http://tinyurl.com/ypdslc


--
Mikolaj Rydzewski <mi...@ceti.pl>


 This e-mail is bound by the terms and conditions described at http://www.subexazure.com/mail-disclaimer.html


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Session expiry

[Mikolaj Rydzewski <mi...@ceti.pl>]

Mike Quilleash wrote:
> Does anyone know if there's a method for determining if the Session for
> a user has expired since the last request?  Basically I have a Filter
> that does an "is logged in" check and redirects to a login page if the
> user is not logged in.  This works fine but in the case of Session
> expiry I would like to redirect the user to the login page (works fine
> as the login object is stored in HttpSession) AND display a message
> informing them that their session expired due to inactivity.  Is there
> any way of telling the difference between the "not logged in yet" and
> "was logged in but expired since last request" situations on the server.
>   

HttpSessionListener: http://tinyurl.com/ypdslc


-- 
Mikolaj Rydzewski <mi...@ceti.pl>