I have been asked previously this and not sure what is supposed to be the answer, the question is suppose you had an online trading page, that allows you to buy and sell stocks whereas all the stocks are constantly changing via ajax, how do you implement to check if the user/session is still active?
I had suggested to use javascript, where when the user is not keying or not moving the mouse it will prompt that the session will end, and log out the user
Second alternative, would be to put a session-timeout in web.xml whereas once the user has session timed out it will require the user to relogin.
But both answers I have provided seemed wrong. What is the proper, standard way to handling session on a dynamic page? (i.e buying airplane tickets or stock trading page?)
Can anyone provide example?
Project Context
Client requires that the users of the site (when logged in and are able to view their personal information) be forced to be logged out if they try to navigate using the browser's navigation buttons.
My Research
Searching around on SO seems to indicate that most of the problems people have is to "stop" people from hitting the browser's back button when they're logged out, like this and this. The difference is that I need to "stop" the users from navigating backwards in history (and even forward as well, though I don't see how the users can go forward in history if they can't go back in the first place) even when they are logged in, making it compulsory that they use the provided navigation.
The Solution I Have In Mind
I'm thinking of capturing the browser's event when a user hits the back button and logging them out then. However, as discussed here it seems like you can only "do it" using Javascript and not using server-side code. My qualm with this approach is that users can bypass it merely by disabling Javascript on their browsers.
My Question
So my question is - Is there a way I can capture the browser event on the server-side and log them out there? If not, what are the alternatives to achieving my objective?
I'd say that your best option is tracking the session.
You make the client send you the timestamp of when the request was processed by your server, or even simpler: a user dependent counter (which you send each time to the client), and server-side keep track of the last timestamp/counter sent.
If the user clicks the back button, he will send you an old timestamp/counter instead of the last current one, and you can then log him out server side.
This should do the trick.
In order to make sure the trick is done and making it javascript independent, I'd say you could place this value in a hidden parameter, or maybe as a hidden field form, so the user doesn't see it but it always gets sent to your server.
I hope this helps!
What I did was to create a single page, 1 html document, then use AJAX to navigate the whole site. When a user hits the back button it takes you to the index page, which is the log in page. To log in I use AJAX which I do redirect on the server side only. The only problem is when a user hits the forward button but the good thing is no JS no navigation.
If the requirement is trap browser navigation buttons and log them out - the easier alternative is never show these navigation buttons in the first place. What is the use if the user cannot use or click back and forward.
Open a new browser without a toolbar, menu bar from you webapp. When the user closes the window, trap the event and logout the session. This way - the solution would remain simple.
My 2c
Relying on javascript is not a good practice, since it is on client side and what runs on client side can always be bypassed by client.
You should instead use session timeout.
Sorry, fetch the buttons themselfe isnt possible.
Since this is a security-problem a solution (without javascript) would be:
to use encoded pages who warn on navigation out-of or into an unencoded-page. Even the mutual authentication might fit your needs.
If I understand correctly your question:
You can't avoid the user to send a request to your server, the user has full control of his/her browser unless you want to ship a custom altered version for an intranet crew (from open-source browser projects).
Without javascript the the only thing you can do is to send a specific parameter via GET when clicking in the required nav button. If the parameter is present you allow the view of the next/prev page, otherwise the user is logged out.
Obviously the user can bypass that by using the browser developer tools. But there is no way you can fully control user UI behavior at this level.
If i am right then you are talking about NO-Cache in broswer.
you can set all these like following:
response.setHeader("pragma", "no-cache");
response.setHeader("Cache-Control", "no-cache");
response.setHeader("Cache-Control", "no-store");
response.addDateHeader("Expires", -1);
response.setDateHeader("max-age", 0);
response.setIntHeader ("Expires", -1);
prevents caching at the proxy server
response.addHeader("cache-Control", "private");
And then you can define a filter who checks session on every page. When a user logs in then set an attribute in session and on logout remove it.
If by mistake user presses the F5 OR
refresh button after login , he should stay on the same page. Right now he is
redirected to login page.
I have used following code to stay on same page.
But I would not like to warn the user on this situation by writing
event.setMessage() in onWindowClosing() method. I just want to make
functionality which will feel the user that nothing has happended even
if by mistake he done browser refresh.
I am looking to avoid unwanted pop-up given by [OR HOW TO HANDLING EVENT ON CANCEL MANUALLY OF CREATED POPUP SO THAT WILL NOT RELOAD i.e. of com.google.gwt.user.client.Window.confirm("Do you really want to exit?")]
Window.addWindowClosingHandler(new Window.ClosingHandler() {
#Override
public void onWindowClosing(ClosingEvent event) {
//how to prevent sending reload request OR [on cancel button MANUALLY]
}});
In some comments above Activities and Places were mentioned as a solution for your problem. And of course it is a nice and modern one. You will find more details on GWT's documentation for these.
But if you do not want to go down that road, another solution is to use the history mechanism provided by GWT. Each "page" (rather part) of you application shall have a specific token. All you have to do then, is to create a History change handler and render the appropriate objects according to the token passed by the user's reload action. If you want to have some "memory" between user's log-outs (but not browser restarts) you can save this token in local storage and use it after user's log-in to direct her to the last page she was at.
I have a jsp page -- let's call it index.jsp. The user clicks on a link in this page -- let's call the link section1.jsp. Inside section1.jsp, there exists a form. When the user submits the form, it opens up another page called portal.aspx.
When the user clicks the back button in the browser, I want the page to go back to index.jsp.
My idea is this: Create a session from request.getHeader('referer') to record the index.jsp page. This will get set when the user enters section1.jsp. The idea is when the user is in portal.aspx and clicks the back button, I want it to check the session variable and, if it is set, redirect to the referer URL. Then I tried it and it didn't work.
Is there some way to accomplish what I just described, without the browser recording secton1.jsp in its history, such that the user will go to index.jsp from portal.aspx, when said user clicks the browser's back button? Please understand I'm looking for a server-side solution and I must use a form to open the portal.
Thank you for any help.
If you are going pure server side, there is no solution.
You may as an alternative use a cookie to store the return URL, this will ensure it doesn't get lost should your page flow change in the future. only issue, now your two back ends need to shate the same domain.
I would personally go with a little of frontend help, these are really API JS api to handle page history.
see https://github.com/browserstate/history.js
When the user logs out of the app and if user clicks on back button he will be able to view the recently visited page and do all the operations again,how to handle this in java?
You need to disable caching for your pages. You can do that by doing something like this:
response.setHeader("Cache-Control", "no-cache");
Read here for more details.
First thing first,
Store the user info in the session upon log in
Remove that info upon logout. You should also take a look at SessionListener, in the case of time based logouts
Every request from the user must go through a filter which checks the information stored in the session at log in time, if found give a go, otherwise redirect to login page.
Caveat: Back button will still work with GET requests. For that consider kgiannakakis's suggestion.
Best of luck.