tags:

views:

96

answers:

3
+2  Q: 

How do I let a user know that his/her session has expired?

I have set Tomcat to dispose of sessions after 15 minutes of inactivity. Something like this

<session-config>
    <session-timeout>15</session-timeout>
</session-config>

Whenever a user accesses a restricted page (one that requires a user to be logged in) I check the session to see if the login process has been completed. If it has then access is granted if it hasn't then the user is redirected to the login page where he/she is prompted with a valid ID and a password. If a session times out then the user is required to log in again. And this is fine, but I would like to let the user know that he/she has to logi in again because the session has timed out.

How do I go about doing this? I found the HttpSessionListener interface and thought it might help but the sessionDestroyed method is called right before the session is invalidated so setting a parameter there is no good, as expected.

+2  A: 

When you redirect the user to the login form, set a request parameter, url parameter, or cookie that indicates that the session has expired (erase the cookie once you've displayed the login form if you use a cookie). Then, when displaying the form, check for the session expired indicator and show an appropriate message.

Mr. Shiny and New  2010-01-04 21:22:21
It's only hard to actually **set** that parameter/cookie when the session is expired. How would you determine *when* to do that? There's no means of a `HttpServletRequest` during session expire. The subsequent new request/session have no knowledge of the previous one.
BalusC  2010-01-05 11:53:49
Put a cookie in the user's browser when the user logs in and a token in the HttpSession. If the cookie is there and the session or token is not, then the user was logged in recently and their session timed out.
Mr. Shiny and New  2010-01-05 16:24:08
Yes .. Exactly as I answered it. But you said literally *When you redirect the user to the login form*. How would you do that?
BalusC  2010-01-05 21:20:33
@BalusC: I see what you are getting at now. My initial answer dealt with how to pass information to the login form telling it that it needs to display some different message.
Mr. Shiny and New  2010-01-06 15:17:42
+2  A: 

On login, set a long living cookie (1 day?) which you remove (set age to 0) during a normal logout. If you land at the login page again while the user is not logged in and the cookie is still present, then it means that the session has been expired.

<c:if test="${empty user && not empty cookie.user}">
    You were logged out because the session was expired.
</c:if>
BalusC  2010-01-05 11:48:20
+2  A: 

You can check if the session has expired and/or timed out with:

if (request.getRequestedSessionId() != null
        && !request.isRequestedSessionIdValid()) {
    // Session is expired
}

Use getRequestedSessionId to distinguish between new and existing (valid/expired) sessions, and use isRequestedSessionIdValid to distinguish betwheen valid and new/expired sessions.

You can put this code in a Filter.

Danilo Piazzalunga  2010-06-29 12:06:25
That's a nice find. You can by the way also just do this in EL. The request is accessible by `${pageContext.request}`.
BalusC  2010-06-29 12:12:11
Thanks, this is a very nice approach
pgmura  2010-06-29 15:40:42

related questions

How can I share a variable or object between two or more Servlets?
debug JSP from eclipse
Are writes from within a Tomcat 6 CometProcessor non-blocking
Does Weblogic 9.x support the 2.4 Servlet standard?
How does debug level (0-99) in the Tomcat server.xml affect speed?
When do you use a JSP and when a Servlet?
How to choose the max thread count for an HTTP servlet container?
Creating a java servlet web application
Writing post data from one java servlet to another
Unit testing a java servlet
Measure Total Network Transfer Time from Servlets
Usable JSP/Servlet Hosting
How to avoid temporary file creation on server-side when pushing back full HTML content to clients?
servlet not in root application's servlet context
How to make embedded servlet engine instantiate servlets eagerly?
Java Servlet 404 errors
Can a servlet determine if the data posted to it is enctype="multipart/form-data"?
Write a Servlet that Talks to JMS (ActiveMQ) and OnMessage Update the Site
Accessing Tomcat Context Path from Servlet
Unit-testing servlets
Tomcat doFilter() invoked with committed response
Is there a way to access web.xml properties from a Java Bean?
Trouble using JRun to Host Java Servlets
Invalid <url-pattern> servlet mapping in tomcat 6.0
Accessing post variables using Java Servlets