I've a web page, where user can extend the session using AJAX call to server. If the application configured session timeout is for 30 minutes, he can extend the session for 5 minutes by pressing a button. When this user submits the pages, I need to reset this session timeout value back to the global session-timeout value.
Is it possible in Java to reset it?
or
Is it possible to read the global session-timeout value which is configured in web.xml?
EDIT:
I'm using the following code to extend the session
request.getSession().setMaxInactiveInterval(300000);
How do the user extend the session. I mean do you give a javascript alert/confirm box regarding it.
Ideally, session should automatically be extended when the user submits a request to the server.
setMaxInactiveInterval() in code and <session-config> in web.xml should do the stuff in normal scenario.
Share the exact situation of your application
EDIT:
Sending a dummy request to a JSP should automatically extend the session as session time out is measured in terms of inactive interval and the dummy request should discard the inactive interval till now.
I solved it by setting the default session as a session variable on execution of an action class, then using it to reset when ever required.
I'm not sure this is the right way to solve this. but it solve my issue, at least for now.
The time out and rest function is here and it will work accordingly to the service response.
Time setting function:
$rootScope.SessionTime =localStorage.getItem('mint');
$rootScope.tickDuration=1000;
$rootScope.myInterval=setInterval(function(){
$rootScope.SessionTime=$rootScope.SessionTime-$rootScope.tickDuration
//console.log("secs:::::"+$rootScope.SessionTime);
if($rootScope.SessionTime<300000 && $rootScope.tickDuration >0){
$('#session').modal('show');
$rootScope.tickDuration =0;
}
},$rootScope.tickDuration);
Time out function:
$scope.myTimeout = function(){
var sessionId=getcokkies.getsessionId();
$http({
url: config.apiUrl + '/user/refreshsession?sessionId='+sessionId,
method: "POST",
headers: {
'Content-Type': 'application/x-www-form-urlencoded'
},
data: $.param({
'userId': parseInt(getcokkies.getUserId()),
})
}).then(function successCallback(response) {
//localStorage.setItem("mint", 600000);
//$rootScope.SessionTime = 600000;
clearInterval($rootScope.myInterval);
localStorage.setItem("mint", 600000);
$rootScope.SessionTime =localStorage.getItem('mint');
// console.log("after++++"+$rootScope.SessionTime);
$rootScope.tickDuration=1000;
}, function errorCallback(response) {});
}
Related
I have a small web application with simple requirement that, I have a servlet and few JSP pages in my application.
When ever we give request to sevrlet it starts session on server with session timeout 1minute, then it displays one JSP page.
After session timeout on server I want to automatically display sign out JSP page in the browser how can we achieve this.
To add to Jhash
You have to have a timer javascript function on every jsp of your application (you can keep it in a .js file and include it)
Your session on the server can be about 30 minutes and your javascript timer can be around 2 to 5 minutes because even if a cached html page is shown, it would find out the situation within 2 minutes
Hope you are not relying on this for securing the application. You should still check on serverside that the user session is valid before letting the user use your application (the javascript should be only for convenience)
Edit:
Example of guessing timeout in JS and then navigating the user out:
var lastActiveTimeMs = new Date().getTime(); //This is set to current time on page load
var SESSION_TIMEOUT_MILLIS = 35*60*1000; //35 mins in milliseconds
var CHECK_TIME_MILLIS = 60*1000; //1 mins in milliseconds
setTimeout(fnCheckTimeout, CHECK_TIME_MILLIS); //Check the timeout once in a minute
function fnCheckTimeout(){
var curMs = new Date().getTime();
if( (curMs-lastActiveTimeMs)>SESSION_TIMEOUT_MILLIS ){
window.location.href = 'signout.html';
}
}
//Keep updating lastActiveTime every time you do an Ajax call.
//Because server will keep extending the session for every page load or ajax call from client
For this you need to use javascript in your jsp page.
For example if your session timeout is 2 minutes on server, in JSP page also you need to create a timer with same time using javascript, after javascript timer timeout happens, you just need to refresh the page by using same javascript code. so when you refresh the page session timeout happened already on server so you can check for session on server and if session is expired redirect control to the page you want.
I want to find the first request which is coming to jsp. Once a window is closed, again I want to find the first request coming to jsp, but I do not want to restart my server. I am trying this:
String name=session.getAttribute("val");
if(name!=null)
{
//something
}
else
{
//something
}
It is working only for the first request. After that, I have to restart the server again and again.
Moreover, I want to find the time spent on particular jsp.
You are storing the data in Server Session. It has invalidation period (configurable, let's say 10 min for example), so it is cleared only after this period. Closing the window doesn't affect this logic at all.
Handling of window behavior should be done on client side with Javascript. Take a look at window.onload and window.onbeforeunload events.
Time spent on the page can also be captured on client side. In general the logic could be:
When page loaded (onload event) you start the timer.
When page is unloaded (onbeforeunload event) you save timer value to some local storage of sending it to server with ajax call.
This is what you are looking for.
How to end sessions automatically if user closes the browser
Killing session when closing the browser
Try with below options:
web.xml
<session-config>
<session-timeout> 5 </session-timeout>
</session-config>
HttpSession.invalidate()
set the cache-control meta tag in the header to no cache to prevent session reuse.
i wanted to throw an alert when session expires and when you press ok button in the alert box then it will take you to login page. For this i thought to create a timer and timertask and in the run method of the later class i will check if the session exists or not. So for this i tried to create a class in jsp page but it is showing error. i can create in servlet but all my pages are in jsp and so this idea is not useful.Now i created a sessionlistner and in the session destroyed method i want to link to login page but i have a problem here too.I can not use response method in the sessiondestroyed method.Please tell me are there any other ways
You can use JavaScript like:
var sessionTimeout = "<%= Session.Timeout %>";
function DisplaySessionTimeout()
{
//assigning minutes left to session timeout to Label
document.getElementById("<%= lblSessionTime.ClientID %>").innerText =
sessionTimeout;
sessionTimeout = sessionTimeout - 1;
//if session is not less than 0
if (sessionTimeout >= 0)
//call the function again after 1 minute delay
window.setTimeout("DisplaySessionTimeout()", 60000);
else
{
//show message box
alert("Your current Session is over.");
}
}
For more details visit here
First, you can creates totally client side solution: use setTimout() when page is loaded first time. Use either hard-coded or arrived from server value of timeout. When timer is triggered use document.location = login.html (or something like this) to arrive to login page.
This solution is "fast and dirty."
Better solution should be based on real session expiration. You can create AJAX call that tries from time to time special URL. This URL should return true/false that means that session is expired or not. When session is expired you should redirect the page to login screen. The problem with this solution is that the fact that you request the session state refreshes it. To solve this problem you can either perform the request to different server or (probably) remove session cookie from the polling request, so it will be performed in session different from the main session.
With Tomcat you can create a JS timer that make a simple AJAX call.
If the call return without errors the session is valid, if the call fails you can consider the session expired. On default behavior Tomcat deosn't renew sessions if you don't explicitly call it.
I had the opposit case: link
This problem is already solved by the Java EE Spec. You should consider using web.xml configurations to handle session timeout issues. It has specific tags for handling all of this. Some of the tags are:
<login-config> ... </login-config>
The above tag lets you used FORM based authentication where you can specify your login HTML resource.
<security-constraint> ... </security-constraint>
The above tag lets you specify the URLs you would like to secure. And finally the session timeout tag itself, which allows you to specify the session timeout in millis.
Once you do the above, the container would automatically take the user to the login page when he requests a secure URL.
Here is the web.xml reference.
From a messaging standpoint, there are multiple ways of seeing the problem:
The fact that system is taking the user back to the login page and forcing him to login, is indicator enough for him/her.
You could provide a generic message on the login page itself.
Device some tricky flag based or querystring logic to show the message on the login page.
Came across this link in StackOverflow itself which provides a strategy you can implement in the login page itself. Have not tried this though.
This in my mind is a trivial problem compared to the whole session timeout strategy itself.
how can i see logout time when user closes the browser without logout?
So i implemented HttpSessionBindingListener taken from here and added Listener in web.xml but logout time is not being inserted into database after closing browser. Any suggestion please where i am wrong?
logout.jsp
<%
ObjectWillBeInSession owi = new ObjectWillBeInSession();
owi.setProperty1("I am a value for Property1");
owi.setProperty2("I am a value for Property2");
//this will call HttpSessionBindingListener's
//valueBound method for the object
session.setAttribute("owi", owi);
//this will call HttpSessionBindingListener's
//valueUnbound method for the object
session.removeAttribute("owi");
//INSERT INTO DB.......BUT IT IS NOT WORKING
%>
Closing the browser does not trigger any request to the server, so there is no way you can know that the user closed his browser.
You can use a listener to way for the session to time out and then store the current time when that happens. Session typically expire hours after the last request from the client, though.
You can use JavaScript's window.onbeforeunload to send an AJAX request to a servlet to record the time the user closed the browser and do what you need in the session object.
Our application logs off after 30 min and gets redirected to login page,i am specifying session timeout in web.xml and using a requestProcessor for redirecting.I want to show to the user a message saying your session got expired once the session expires,how can i do that.Auto log off ?
I would like to prompt the error message on the page"The session is timeout, please login again" . Then how could I detect the session is timeout? will any methods trigger automatically?
Create an activity checker which checks every minute if any user activity has taken place (mouseclick, keypress) and performs a heartbeat to the server side to keep the session alive when the user is active and does nothing when the user is not active. When there is no activity for 30 minutes (or whatever default session timeout is been set on server side), then perform a redirect.
Here's a kickoff example with little help of jQuery to bind click and keypress events and fire ajax request.
<script src="http://code.jquery.com/jquery-latest.min.js"></script>
<script>
$(document).ready(function() {
$.active = false;
$('body').bind('click keypress', function() { $.active = true; });
checkActivity(1800000, 60000, 0); // timeout = 30 minutes, interval = 1 minute.
});
function checkActivity(timeout, interval, elapsed) {
if ($.active) {
elapsed = 0;
$.active = false;
$.get('heartbeat');
}
if (elapsed < timeout) {
elapsed += interval;
setTimeout(function() {
checkActivity(timeout, interval, elapsed);
}, interval);
} else {
window.location = 'http://example.com/expired'; // Redirect to "session expired" page.
}
}
</script>
Create a Servlet which listens on /heartbeat and does basically just the following:
#Override
protected void doGet(HttpServletRequest request, HttpServletResponse response) {
request.getSession();
}
to keep the session alive.
When you store the logged-in user in the session, it will be "automagically" logged out whenever the session expires. So you don't need to manually logout the user.
Create a Listener class implementing HttpSessionListener and define it in web.xml
This will notify you when any session is destroyed. Use the sessionDestroyed() method.
See a full example here:
http://www.mkyong.com/servlet/a-simple-httpsessionlistener-example-active-sessions-counter/
Either it may be simple servlet, spring-mvc or spring-security auto logout is not possible without perfect client side logic.
Considering application will have both type of request
AJAX and
form submission/page reload
Auto logout needs very calculated logic. Presenting my autologout functionality implementation with following
Advantages.
1. No extra call/request is used to achieve this. considering performance impact if more than 10k active users and extra calls to achieve auto logout.
2. One line configuration using tag.
3. Works flawlessly even if user opens multiple tab or multiple window.
4. It intimates you before 30 seconds of session invalidation, so if you have filled form and not submitted, you can keep session alive(extend session by one click). So user less likely to loose unsaved data.
Usage
1. Include auto logout script in required JSP pages as given below.
....
</body>
<jsp:include page="../template/autologout-script.jsp"></jsp:include>
</html>
2. Create a JSP page, autologout-script.jsp and add below code.
Note: No editing/configuring is required
<%#taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<script>
$(document).ready(function()
{
var timeOutTimeInSeconds = ${ timeOutTimeInSeconds };
var showTimerTimeInSeconds= ${ showTimerTimeInSeconds };
var sessionCheckIntervalId = setInterval(redirectToLoginPage, timeOutTimeInSeconds * 1000);
var timerDisplayIntervalId = setInterval(showTimer, (timeOutTimeInSeconds - showTimerTimeInSeconds) * 1000);
var badgeTimerId;
window.localStorage.setItem("AjaxRequestFired", new Date());
function redirectToLoginPage(){
//location.href = '<c:url value="/" />'+'${loginPageUrl}';
window.location.reload();
}
$(document).ajaxComplete(function () {
resetTimer();
});
$(window).bind('storage', function (e) {
if(e.originalEvent.key == "AjaxRequestFired"){
console.log("Request sent from another tab, hence resetting timer")
resetTimer();
}
});
function resetTimer()
{
showTimerTimeInSeconds= ${ showTimerTimeInSeconds };
console.log("timeOutTimeInSeconds : "+timeOutTimeInSeconds)
window.localStorage.setItem("AjaxRequestFired", new Date());
window.clearInterval(sessionCheckIntervalId);
sessionCheckIntervalId = setInterval(redirectToLoginPage, timeOutTimeInSeconds * 1000);
window.clearInterval(timerDisplayIntervalId);
timerDisplayIntervalId = setInterval(showTimer, (timeOutTimeInSeconds - showTimerTimeInSeconds) * 1000);
hideTimer();
}
function showTimer()
{
$('#sessionTimeRemaining').show();
$('#sessionTimeRemainingBadge').html(showTimerTimeInSeconds--);
window.clearInterval(timerDisplayIntervalId);
badgeTimerId = setInterval(function(){
$('#sessionTimeRemainingBadge').html(showTimerTimeInSeconds--);
}, 1000);
}
function hideTimer()
{
window.clearInterval(badgeTimerId);
$('#sessionTimeRemaining').hide();
}
});
</script>
3. Configure session attributes to configuring timeout setting
Note: Configure this after session creation. You can implement HttpSessionListener sessionCreated method and set the following configuration as per your requirement.
session.setMaxInactiveInterval(300);
session.setAttribute("timeOutTimeInSeconds", 300);
session.setAttribute("showTimerTimeInSeconds", 30);
4. Add below html for displaying timer.
Note: it can be moved to autologout-script template page if you are good at CSS. Hence you can avoid to add this in each and every page.
Include bootstrap or add your custom css.
<span class="badge badge-primary" title="click to keep session alive" id="sessionTimeRemaining"
onclick="ajaxSessionRefresh()" style="display:none;">
<i class="badge badge-danger" id="sessionTimeRemainingBadge" style="float:left">30</i>
<small>Refresh</small>
<i class="glyphicon glyphicon-refresh"></i>
</span>
That is all about a simple auto logout implementation.
You can download working example from my github repository
Autologout using simple servlet example
Autologout using spring-security java configuration example
Autologout using spring-security xml configuration example
Logic Explained
Case 1: On Page load
Here logic is simple, on page load set timer of interval equlas to maxInactiveInterval. after timeout redirect to login page.
Case 2: Keep track AJAX calls
Now considering AJAX requests, you can use .ajaxStart() or .ajaxComplete() callbacks of jquery so that if any ajax request is fired you can reset the interval.
Case 3: Tracking multi tab/window activity
Intertab communication is done to synchronize state of each tab. Used localStorage on change event.
Limitations/Improvements required
1. If maximum allowed session is one, if session is taken from another system, AJAX request will fail. It needs to be handled to redirect to login page.
2. Use ajaxStart() instead of ajaxComplete() to have exact sync of idleTime values between server and browser.
Requirements
1. Jquery
Alternatives to current implementation compared
1. Setting Refresh header in http response. (Not works for AJAX requests)
response.setHeader("Refresh", "60; URL=login.jsp");
Setting meta refresh tag in HTML (Not works for AJAX requests)
<meta http-equiv="refresh" content="60; url=login.jsp">
Configuring Activity checker
Keeps session alive by repeated AJAX request. Tracks idle time and makes logout request after timeout.
No doubt it is a good one with simple logic. But i want to just ink my observations.
Performance impact if 2 requests are made per minute to keep session alive and 50k active users. 100k requests per minute.
Intertab communication If two tabs are open, one tab is receiving activity but other tab is not receiving activity, that tab fires logout request and invalidate session even though activity is present in other tab. (But can be handled)
Force logout approach It is a client is dominated over server to invalidate session.
If you're using servlet sessions, you can check to see if the session the jsp / servlet is returning is new using the isNew() method. If yes, then the user's session has expired and you can display the relevant messages.
Include a javascript utility function inside your JSP and ping the server every 31 minutes.
The above mentioned utility function should be using setTimeout() JS function internally.
setTimeout ( "checkServerSession()", /* intervalInMilliSeconds */ 31000);
Note that
checkServerSession()
is a regular JS function which may fire HTTP requests. If the request is successful session exists otherwise show the prompt to the user.