Is it possible to manually reset the timeout interval of a specific session for a user that is currently logged in my web app?
I would like the ability to do something similar to this :
public void keepAliveForUser(long userID) {
Session session = this.userSessionManager.getUserSessionById(userID);
session.resetTimeOut();
}
P.S - keep in mind this function is not being called in a follow up to a user request. (i.e. It's called from a cron job, a scheduled task, etc...)
Thanks!
You can use HttpSession#setMaxInactiveInterval to change the session expiry time on the fly
Java Doc
Specifies the time, in seconds, between client requests before the
servlet container will invalidate this session. A negative time
indicates the session should never timeout.
Usage
//session will expire after 2 hours of inactivity
session.setMaxInactiveInterval(2 * 60 * 60);
Session timeout hierarchy:
$tomcat_home/conf/web.xml
$your_webapp/WEB-INF/web.xml
manual invocation of HttpSession.setMaxInactiveInterval(int)
Related
In my RAP application I need to do some logout handling (forward do keycloak sso/logout).
Where would be a good hook to do that?
org.eclipse.ui.application.WorkbenchAdvisor.postShutdown() is executed also if I refresh my browser window (F5), I don't want the session to logout on-refresh. Rather if the session is expired or the browser window is closed.
Is there a hook for expired sessions or a session invalidation event?
Found UISessionListener.beforeDestroy() but it also is executed on browser-refresh:
RWT.getUISession().addUISessionListener(new UISessionListener() {
#Override
public void beforeDestroy(UISessionEvent event) {
System.out.println("UISessionListener.beforeDestroy" + event);
}
});
Code show that UISessionListener catch the event UISessionEvent that contains
UISession. This object is bound to HttpSession, if you don't wont to expire just configure session to endless(better to make it quit long but not endless depends on amount of users using application).
HttpSession has expiration time by default (for example for apache tomcat it is 30m). But it is configurable. Session expired when not single "touch" of session (request) in such timeout occurs.
Also by default session will "survive" during tab close/open, since cookie saved on client side (again this behaviour configurable).
In the web app (Servlet-JSP MVC) I am working on I have set session timeout as -1, which means the session will never expire until it is intentionally invalidated during logout.
<session-config>
<session-timeout>-1</session-timeout>
</session-config>
But if the user stays idle (i.e no activity on application) and then refreshes the application after some time, the session expires.
I am using Apache Tomcat 7.0 with XAMPP for my application.
What might be the reason? What can be done to keep the session alive indefinitely? What does "-1" in session-timeout tag actually means?
Better approach is use a ajax call to refresh the session, but not set the session-timeout too long, because the user can close browser without quitting, then session entities will keep in memory but never will be used again.
You settings not work may caused by conflict of settings in such three places:
(1) Java Code
session.setMaxInactiveInterval(600);
(2) webapp's web.xml
(3) Contianer's(tomcat?)settings conf/web.xml or Catalina/localhost/yourapp/context.xml or server.xml or event in your app's submodule jars.
<Context path="/" docBase="/yourapp/base"
defaultSessionTimeOut="3600" ... />
The priorities (1)>(2)>(3)
————EDIT————
According the tomcat 7 documentation, in case you use SSL (https://tomcat.apache.org/tomcat-7.0-doc/config/http.html)
sessionTimeout
The time, in seconds, after the creation of an SSL session that it will >timeout. Use 0 to specify an unlimited timeout. If not specified, a >default of 86400 (24 hours) is used.
Use 0 to specify an unlimited timeout
And this link JSESSIONID Cookie with Expiration Date in Tomcat and this https://stackoverflow.com/a/13463566/1484621 worth a look
The correct way to test session is request.getSession(false) == null, or request.getSession(true).isNew().
According to the source code
/**
* Set the default session timeout (in minutes) for this
* web application.
*
* #param timeout The new default session timeout
*/
#Override
public void setSessionTimeout(int timeout) {
int oldSessionTimeout = this.sessionTimeout;
/*
* SRV.13.4 ("Deployment Descriptor"):
* If the timeout is 0 or less, the container ensures the default
* behaviour of sessions is never to time out.
*/
this.sessionTimeout = (timeout == 0) ? -1 : timeout;
support.firePropertyChange("sessionTimeout",
oldSessionTimeout,
this.sessionTimeout);
}
the session-timeout set to 0 or -1 will have same result
Ok, In Java, I don't understand what actions tell that a session is and isn't alive.
I used to think that if user has never touched the page and after a period of time, the session will expire.
session.setMaxInactiveInterval(15*60); //15 mins
But let say there is a page call ajaxChat.jsp which has a functions to send data back and forward between client and server.
The UserA logined & created a session. He then can enter the ajaxChat.jsp. UserB sometimes send messages to UserA via interface on ajaxChat.jsp.
UserA just lives the ajaxChat.jsp & do something else. Hoever, every 5 mins the UserB send a message to UserA.
The question is that if UserA just leaves ajaxChat.jsp there without touching it for more than 30mins, then will the session of User A expire? Note that every 5 mins, ajaxChat.jsp receives a new message from UserB.
I don't understand how Java Session works when it is counted that the session expires?
Which actions tell that a session is or isn't alive?
At which point of time is a session counted as inactive?
What if user has never touched the page but the page has some Ajax calls periodically in the background?
Here Ajax code in ajaxChat.jsp is responsible for sending and receiving the message. So both USer-A and User-B are using the output of the Servlet generated after JSP translation and compilation. So, do not think it as ajaxChat.jsp page is making communication between the two users.
For the server request that comes after every 5 minutes marking the activity from user irrespective of the call by normal user action or Ajax call. Both are equivalent for the server. Meaning that the server will not count it as inactive session.
If you want to have your application with behavior of expiring session after 15 minutes, you will need to handle on your own.
You can manage a map in application context (key as JSESSIONID cookie value) with your last activity time of user from the specific pages/calls which are interpreted as actions from the user not from Ajax Chat. Testing every time the difference (Last Activity Time - Current Time) and marking the session expired explicitly as sesion.invalidate().
Sorry for the broad topic. Basically, WSC is supposed to have out-of-the-box session timeout handling by forwarding the user to the ReLogonFormView, which the user can presumably configure (through Struts) to any jsp that they choose. We use a custom logoff command, and it seems to be affecting that view showing up.
I'm not looking for a specific solution to this problem, I'm just looking for general knowledge about how WSC (v6) handles session timeouts (how it determines that the session has timed out) and what command(s) it runs by default when / if / to determine the session has expired.
This is my current knowledge on this subject...
The session timeout is a global value for all web modules and can be found in the wc-server.xml and is set to 30 minutes OOTB.
When a timout occurs, the OOTB LogoffCmd would normally be called, which will set up the necessary URLs to navigate to the ReLogonFormView URL while keeping hold of the URL where the session timeout occurred.
If the ReLogonFormView contains userid/password fields to allow the user to logon again, the user will then be redirected back to the page they were originally on.
More info can be found in IBM InfoCenter under "LoginTimeout".
If you extend the OOTB LogonCmdImpl, you should not try and set the forwarding URL, or that will interfere with the OOTB navigation.
I think you should perform your custom logoff functionality and then call super.performExecute() to allow the OOTB navigation logic to take over.
Note: You can retrieve the URL you were originally on via a call to getReferrerURL() and the ReLogonFormView should be returned from getURL().
what is java app engine,default session time out ?
will that be any bad impact if we set sesion time out to very very long time, since google app engine session is just store in datastore by default? (just like facebook, each time you go to the page, the session still exist forever) ?
Default session timeout is set to 30 Minutes. (you can verify it calling getMaxInactiveInterval method)
With that fairly limited info about your app, I don't see any impact.
Using setMaxInactiveInterval(-1) indicates that the Session should never timeout.
Keep in mind that you also need to overwrite the JSESSIONID cookie MaxAge to prevent to lose the Session when the browser is closed.
I've just tested on my GAE webapp and the default timeout is getMaxInactiveInterval()=86400 (s) = 24 hours = 1 day