How do I logout the authenticated session in weblogic once the server timeouts as per the configured value in deployment descriptor (web.xml)?
It seems by default server calls httpSession.invalidate() method once the server times out. httpSession.invalidate() does not logout the authenticated user.
But I need to programatically call weblogic ServletAuthentication.invalidateAll(HttpServletRequest req).
Thought of using HttpSessionListener but how do I get hold of the HttpServeletRequest object?
Any solution will be appreciated.
Thanks in advance
When the session is time out, the user is automatically logged out. If you refresh the page you will be redirected to the login page.
Related
I have the web application. I deploy it into jetty container.
After browser restart it looses jsession id although session alive on server and redirect me to login page.
In browser I see following cookies:
How to know current jsessionId cookie type ?
Can I change cookie type to resolve my issue?
How to change jsessionId cookie type ?
Which type would be proper at this case ?
Your session is not deleted until its expire time on the server side.
However, your "browsing session" ends when you restart your browser. Therefore your browser deletes all session based cookies, including the one grabbed from your website. As as result, you lose your old session and forced to start new session.
Check this out:
What is the best way to implement "remember me" for a website?
The cookie that identifies your session is JSESSIONID. See that expires attribute for that cookie is Session which means that the browser will forget it when you close it. You need to make the server set expires attribute for the cookie, that is login response should contain header similar to:
Set-Cookie: JSESSIONID=<id>; expires=Tuesday, 05-Nov-2004 08:30:09 GMT; ...
Read documentation for your authentication library to find out how to do that.
I am currently writing a webapp where i need to login a user. When the user is logged in he needs to be redirected to an external page to get a token. The issue is that when he gets the token and is redirected back to the web application, even though he is still logged in, the session is gone and he is redirected back to login page. How to fix this? Should I use a cookie? Session doesn't use a cookie by default?. If so, what should should I store inside the cookie? Please advice.
Is there any way to manage the following scenario using Spring:
I have to logout the user if he is inactive for 30 minutes. However, on the elapse of the 28th minute, I have to display a warning pop-up saying that the user will be logged out in 2 more minutes.
If the user responds his session is maintained.
Otherwise, his session expires in 2 minutes and he is redirected to the home page.
Using Spring 3.0.
*Spring is handling all my session management and the servlet container is Tomcat.
The requirements of the client I am working for that any functionality created should function well without javascript as well. This is why I was searching for a Spring based solution.
Sounds like a job for Javascript on the client, rather than something Spring would do.
If you know (or set) the session timeout on the server, you can set a corresponding timer on the client, to go off 2mins prior to the actual session expiry.
If required you can always force the session to end by redirecting the page to the logout URL from Javascript. If your logout destination is set to the home page, then that's where the user would end up.
I have a web application in Tomcat 7 which keeps user information in session as a DTO object. I also have Spring security enabled for my project which automatically redirects a user to a login page if the user does not have a session.
If I log in to my application once and then I restart Tomcat in Eclipse what happens is that my session gets flushed out but the cookie does not go.
What this means is that after server restart there is no UserDto in session but a valid JSESSIONID remains with browser. Thus spring security still thinks that the user is logged in when in fact he's not.
Why is this happening? (I have check the type of JSESSIONID cookie by viewing page info in Firefox it says - Expire: At end of session. Thus it should ideally expire at server restart or shouldn't it?)
Edit: Though Firefox says Expire: At end of session the cookie is still there if I close and restart Firefox.
From Servlet 3.0 to add expire date to a cookie you can add cookie-config to your web.xml file
<session-config>
<session-timeout>30</session-timeout>
<cookie-config>
<max-age>1800</max-age>
</cookie-config>
</session-config>
The cookie is held in the browser - when the server restarts, but the browser continues to run, it will hold onto the cookie and present this to the server on next request.
Now on the server side, you have multiple options: You can configure tomcat's SessionManager to persist on disk and read the content upon restart - this is an option that also is used to distribute sessions between multiple tomcats in a cluster: When the session is serialized to disk, any server can continue the session by "just" deserializing it. There's some cost implied (as you constantly need to serialize sessions)
Currently I can't give you more concrete hints than this - but if you look it up and understand the difference between where the cookie is stored, why it doesn't change on server restart and that you'll have to look up tomcat documentation of the session manager, you'll hopefully manage to figure it out.
Tomcat will generate a JSESSIONID automatically if you have used session in you web project.
If the session id changed then the JSESSIONID will changed corresponds. Because
the JSESSIONID indicates the seesion ID of the WEB project.
It will expire when the server stop(in default it will expire within 30 minutes), but the cookie cannot delete automatically.
JSESSIONID can configs in server.xml file of tomcat.
While you log in succesfully, SpringSecurity stores a cookie in your browser.
When the browser sends a request, SpringSecurity checks what's in the cookie. If SpringSecurity finds the value it stored before, it thinks you have logged in, so SpringSecurity won't redirect to the login page.
I am newbie to both Spring and Shiro. I have some questions on Session Management.
I saw a question which gives quite a good introduction to Session Management.
But what I did not understand is, how does Shiro communicate with the client to pass the session information, and how will the client authenticate itself again over the subsequent requests. Does Shiro pass a session ID automatically, without me having to code for it?
Does browser automatically store the session IDs and send it (may be over HTTPS) with subsequent requests?
How does the session logout communicated to the client? And how does the client understand that it has to login again?
Thanks!
The session ID is stored as a browser cookie.
The session ID cookie is
removed from the browser when the user logs out (and the session is invalidated on
the server). Requests made after the cookie is dropped will appear
to Shiro to be coming from an anonymous user, so Shiro will redirect the browser to a login page if they try to request a URL that requires you to be logged in.