tags:

views:

278

answers:

8
+4  Q: 

What is the best way to protect user inputs (not yet submitted) from session timeout?

I develop and maintain small intranet web apps(JSP and Resin).

Some users takes so much time to complete the forms that, when they submit, they lose all their input data because of session timeout.

Currently I prolonged session timeout to 30 minutes and display count-down clock till session timeout on top of the page, but, I think their must be better ways to protect user inputs.

What is the best practices?

Addendum Our users make several kind of reports with the web-app, and the whole contents of each report are stored in a JavaBean stored in the session.

As suggested by some, Ajax or iframe should do the quick fix.

I now know that it is better not to abuse session with heavy objects, but I'm not sure how best to refactor current mess. Some people suggested to make the web-app stateless. Any suggestion for refactoring is welcome.

+2  A: 

I've only recently needed to look at solutions to this problem.

The direction that looked most promising was using AJAX to periodically check if data was entered, and send it to the server. If the browsers running in your company support AJAX, this is one possibility.

Another possible solution could be to split the forms up, so that each section is small enough to be filled out and submitted within the session timeout.

cofiem  2008-10-31 00:55:53
Unless they are still running Windows 95, I'm pretty sure they're browsers will support AJAX.
amdfan  2008-10-31 00:58:11
@amdfan some company enforce javascrit to be disabled in their policy (wich is a good thing for security)
Frederic Morin  2008-10-31 01:21:06
A: 

You could store the data in a cookie every once in a while, use Gears as a temporary storage (if the data is complex or requires more than 4K storage) or send the temporary data to the server every n second using AJAX.

Jasper Bekkers  2008-10-31 00:57:05
+7  A: 

This may or may not be the case with your framework, but I think that if your page just uses AJAX to call the server every five minutes (or whatever), then that will keep your user's session alive. You don't even have to do a partial save of your form this way.

MusiGenesis  2008-10-31 01:20:25
terrible... just increase the session timeout at that point...
Shawn Simon  2008-10-31 03:50:22
Why is that terrible? It'll keep all users who still have their browser window open (i.e. fairly likely to come back and wanting to continue) connected, while dropping all truly unused sessions fairly quickly.
Keeg  2008-10-31 07:22:09
@trustyteen: sessions time out for a reason, which is why the ideal solution is to write the app from the ground up to handle session timeouts gracefully (i.e. no huge forms). As a quick fix, the AJAX-ping method makes the page less secure. Increasing the session timeout will make all pages less so.
MusiGenesis  2008-10-31 15:43:38
FWIW, I wouldn't use my own suggestion here. If web app users routinely lose work because of session timeouts, the app just needs to be rewritten.
MusiGenesis  2008-10-31 15:48:24
+4  A: 

Make your applications stateless on the server side. You can include any state you need to maintain in hidden input fields. If security is a concern then you can encrypt the data before putting it in the field.

An example is putting something like this in your form:

<input type="hidden" name="user" value="bob" />
<input type="hidden" name="currentRecordId" value="2345" />
<input type="hidden" name="otherStuff" value="whocares" />

The main advantage of this is that your web app can do everything it needs to with just that page. It doesn't need any session variables because everything it needs is in the page it just received. Now it doesn't matter how long they take because there is no session to expire.

A secondary advantage is that it reduces the load on your server because it isn't polling your users periodically.

Jere.Jones  2008-10-31 01:22:33
There are countless advantages, no need for session replication across servers, so load balancing becomes a breeze (client doesn't have to be tied to any server instance). High volume web apps ought to be stateless. Refactoring is not so easy if your app is already riddled with session dependency.
Lee Kowalkowski  2008-10-31 08:50:03
@Jere.Jones, and @Lee Kowalkowski.Can you please provide links for learning about stateless web-apps?
ulm  2008-10-31 10:22:36
I don't have any links. Sorry. This is just an idea that I use. I wasn't even sure it was a "real" pattern. :)
Jere.Jones  2008-10-31 15:31:21
@ulm: Well, architecturally it would help if one of the web application's goals was to be RESTful (http://en.wikipedia.org/wiki/REST). In my experience I would not be comfortable with this as an afterthought for a completed application. As your URIs would have required a great deal of forethought.
Lee Kowalkowski  2008-10-31 21:24:18
@Lee Kowalkowski: Thank you for the information. As you pointed out,it seems to be a formidable task torewrite a non-REST app and make it [email protected]: Thank you for answering. It would be an intersting read if you could publish your ideas.
ulm  2008-11-01 04:00:50
Client script can modify those hidden fields. Better keep that in mind.
Josh Stodola  2009-02-05 15:49:05
This only works for a site that does not have security. If the users log in, you need a session. Putting a session reference number in a hidden field is a bad idea.
Nemi  2009-09-15 21:32:24
+2  A: 

If you are creating an application for a limited number of users (e.g., a company intranet) and you don't want people to have to keep logging in all day or have them lose their input information when sitting for extended periods of time, you can keep sessions open indefinitely only for people that have their browser open to your website without setting the session timeout to not expire. As soon as they close the website then the session will expire as normal.

What you need to do is add a hidden iframe somewhere on the page. Have the iframe point to a simple html document served by your app server that has a meta tag in it to refresh every 29 minutes (for a session that expires in 30 minutes). This way, as long as the person has your web page open, their session won't expire. However, when they navigate away from your site it will expire as normal. You get unlimited session lengths without the downside of sessions that grow out of control.

I successfully deployed this solution in an enterprise environment at a previous place of employment. The web app replaced an old green screen application and it was unacceptable for them to go to lunch and have the application expire on them, for example.

Let me know if you need more of an example.

Nemi  2008-10-31 01:41:07
the session would still be valid though, even if the cookie is gone on the client. someone else could still hijack their session.
Shawn Simon  2008-10-31 03:51:01
Thank you for the suggestion. I think I'll try adding a hidden iframe for report input forms.(Report browsing is not worth the bother.)
ulm  2008-10-31 10:27:16
+1  A: 

I'd recommend looking into a stateless alternative (something that does not rely on session attributes) to what you're doing.

We may be able to help more if we know what exactly it is you're relying on sessions for.

Jack Leow  2008-10-31 02:03:52
A: 

Umm..

What about displaying a prompt to the user about the session about to be expired -- save data (say 5 min before), so that they can save the data. This way they know what they have to save and in case the session really needed to be expired, it will be done afterward if they don't respond.

This is an alternative in case when you want to avoid a continuous ping to server using AJAX.

Nrj  2008-10-31 08:32:14
Thank you for the suggestion.I've implemented timeout alert box already,but our users are often interrupted during report making so,pop-up alert while users are absent is not terribley useful.
ulm  2008-10-31 10:18:44
A: 

Don't use the session object. This is a cause of all sorts of usability problems - as you are discovering.

It's my golden rule of web application development: don't use the session.

Having said that, use it sparingly for things that just can't be done otherwise.

Steve McLeod  2008-10-31 09:05:08
Hi, you have any acknowledged sources supporting your "golden rule"? I find it an interesting topic to dig more into.
JacobE  2008-10-31 09:28:42

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java