How precise is websphere's session expiration? - java

We wrote some jquery and java code to support passing a cookie with the expected session expiration time to the client, which then prompts the user two minutes before to give them the chance to extend their session. If they fail to do so in time, they get forwarded on their next button click to a landing page.
Works great...most of the time. Every so often, a tester trying to test this will wait 4 minutes after the prompt comes up, click a button only to find that their session is still alive despite waiting 2 full extra minutes longer than they should have had to for the session to die.
Is the spec just not that precise with when sessions expire? Should we sort of blow this off as not a big deal? we're using ibm's websphere as our app server.

WebSphere has a setting called HttpSessionReaperPollInterval that controls this behavior.
Use this property to specify, in seconds, a wake-up interval for the
process that removes invalid sessions. The value specified for this
property overrides the default installation value, which is between 30
and 360 seconds, and ensures that the reaper process runs at a
specific interval.
https://www.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.base.doc/ae/rprs_custom_properties.html
Although the property can be adjusted, it may still not make sense to change the default value in your scenario.

I assume you set the session expiration time to two minutes on the server. That is, not the cookie expiration time.
The session should expired after two minutes. However the session can come back alive (but empty) after expired if application (click button) called getSession(true) instead of getSession(false).
If this isn't the case, can you enable the session trace : com.ibm.ws.session.*=all

Related

How to maintain user login session?

I am trying to maintain user login session(1 hr) in my Android application. When user logs in, I am receiving login time(StartTime) and session end time(Timemout) from server.
I am comparing received login time + session end time with my current device time using System api (System.currentTimeMillis()).
My problem is that user can manipulate this System.currentTimeMillis() by changing location or by changing clock time in their device and can have infinite login session.
I also tried using SystemClock.elapsedRealtime() which is dependable on boot time. Where user can reset or manipulate the time by rebooting the device.
Is there anyway to maintain 1 hr login session?
StartTime and Timeout time receiving from server.
((startTime + timeout) > (System.currentTimeMillis()/1000))
or
((startTime + timeout) > (SystemClock.elapsedRealtime()/1000))
The goal here is to make sure your sessions do not exceed a certain length of time regardless of any date/time changes on your device's local time. The one constant here is your server's time so let's leverage that.
On app launch, make your app query the server to see if it has an active session. If not, present the user with a login screen.
If there is an active session, the server should return the remaining duration of that session. This means that your server will keep track of which devices logged in and when the did so. That way, when an authentication request comes in, it checks its listing for successful logins in the last hour and returns the difference between the current time and the last login time. If there are no successful logins in the last hour it fails the request
App side, when an authentication request succeeds we start a timer for the length of time returned from the server. You can implement this yourself, or you can just use a ScheduledThreadPoolExecutor. Regardless, your timer cannot use System.currentTimeMillis() in it's implementation or it will be affected by changes to the local time. Refer to this answer for more info on that.
When the timer finishes, you can then lock the user out and force them to login again, or simply let them stick around until the app is shut down. That is up to you and your priorities regarding user experience and security.
In short, the app exists in one of two states at all times. Either it is unauthenticated and waiting for the user to login, or it is authenticated and on a timer to when it will lock the user out again. This way, you don't have to ping your servers quite so often to check session status
As mentioned in the earlier link, System.nanoTime() is a good tool to use in a timer that should not be affected by changes in the local time. More details in the java docs
This can be handled at server side. You may create a session on the server for the user which will be timed out after 1 hour (specified in requirement).
In this case you can notify user about session logged out in any of these ways:
If any requests comes after session timed out then it will notify user as session logged out.
The moment session gets expired, server can send notification to client as session logged out.

From a servlet, how do I set a Cookie that never expires?

From a servlet, how can I set a cookie that will never expire?
I have tried doing it like this:
Cookie cookie = new Cookie("xyz","");
cookie.setMaxAge(-1);
But when I do it this way, it expires as soon as the user closes the browser.
If you call setMaxAge() with a negative number (or don't call it at all), the cookie will expire at the end of the user's browser session. From the documentation:
A negative value means that the cookie is not stored persistently and will be deleted when the Web browser exits.
The typical approach for cookies that "never" expires is to set the expiration time some far amount into the future. For example:
cookie.setMaxAge(60 * 60 * 24 * 365 * 10);
Will set the expiration time for 10 years in the future. It's highly probable that the user will clear their cookies (or probably just get a new computer) within the next 10 years, so this is effectively the same as specifying that it should never expire.
Keep in mind that cookies don't actually have a concept of a "maximum age"; the way this is actually implemented is Java adds the specified number of seconds to the server's current system time, then sends that time as the expiration time for the cookie. So, large mismatches between server time and client time can complicate things a little - the best you can do (at least, easily) is ensure your server clock is set correctly and hope the clients' clocks are set.
Setting the maximum age: You use setMaxAge to specify how long (in seconds) the cookie should be valid. Following would set up a cookie for 24 hours.
cookie.setMaxAge(60*60*24);

I want maintain main application session while using editor window with session limit

I have a application with session length set to 15 minutes in web.xml.
I am using RTeditor on one screen, in RTeditor the user can enter data continuously for 30 minutes but main application session is going to expire.
The challenge is I want to maintain the main application session while using editor window. How can I do this?
Since you need to let the application know that you are still using it, i think a timer would do the trick. Use a timer that sends a dummy request (just calling a servlet/controller that returns anything) when the RTeditor is open every 5-10 min to keep the session alive.
OR to avoid the obvious mistake that can happen (The User might leave the RTeditor screen open without using it and the session would never end), check certain (or all) fields to see if they are dirty every 10 min, if they are dirty, then send the dummy request to extend the session.
Edit: Dont know if there are better ways of handling this, but this is how i would do it. (though i am no expert) :P.. Hope it helps!

Session logging out in 30 min irrespective of activity

I have set <session-timeout> as 30 min in web.xml. If I am not wrong this one supposed to logout the session in 30 min only when the session is inactive. But in my application user is logged out in 30 min irrespective of activity. can anyone please help me with this? I am not where the issue is.
Check to see that you are not getting a new session with every request. An easy way to do this is to store an Integer in the session and increment it with every request. Then add the value of the integer (as an Integer or a String) to the response and display it on the page (display may be adding it it the page as a hidden field if you want).
There can be lots of reasons that may cause unexpected session timeout and without further information, all I can give is just some pointers and suggestions.
Do you use a cluster? if you do, please check your load balancer's algorithm and settings. Does the user request being forwarded to a different server in the cluster after 30 minutes? Do you have session replication configured in your cluster? Another easy way to make sure that load balancer is not the culprit is to shut down all other servers in the cluster except one. Thus the requests are guaranteed to be sent to the same server. Then you can check if the 30 minutes timeout irrespective of user activities still happens. Server access log might also helps you to see if the user is bounced between servers.
If you have any browser plugin such ieHTTPHeaders installed, please check the session cookie sent by each request and to see if there is any change.
Another question is that if you change the 30 minutes timeout in web.xml to 15 minutes, does the user timeout every 15 minutes irrespective of user activity?

How to implement a lock on data currently being viewed by a user

Morning gurus,
I am trying to implement a solution for allowing only one user of our web app be able to see the data they are interested in until they move away from the page.
So when a user clicks on the page they are presented with all the routes they have permission to see and no one else who has permission to see them is currently looking at.
I have partially implemented this by making an Application Scoped bean which stores a map of the routes being viewed by users keyed on their session id.
The Application Scoped bean is updated when the page's backing bean gets the routes from the database.
I have written a Filter which removes the viewed routes from the Application Scoped bean when the user leaves the page.
This all works fine :-)
But if the user leaves the page by either closing the browser tab / closing the browser or the session expiring my clean up code is bypassed.
Does anyone have suggestions how
I can get my clean up code to run before the tab/browser closes/session expires.
I can access the sessions for all users in my application scope bean (so I can iterate over them and build the watched routes map every time it is requested)
An idea of a better solution.
I'm working with JSF / Icefaces 2.
Thanks for your time.
First, and most importantly, you need to decide on the acceptable delay between a user closing the browser and releasing the locks on the held objects.
If you can handle having locks persist until the session is destroyed, add an HttpSessionListener and perform cleanup when the session is destroyed.
If you can handle delays in the 10s of seconds, add a periodic request on the web page (either via AJAX/JS, or via an invisible IFRAME that reloads a specific page from your server), and have a Filter that timestamps the last access from the browser in the users session or the Application Scpoed bean you already have. A separate thread wakes up every N seconds, scans for sessions with locked objects that are older than M seconds and unlocks them.
If you need immediate notification, install an onbeforeunload event handler that notifies the server. Also, you could do it with a persistent connection or WebSocket.
In any case, you will need at least one of the first two, because the third may be unreliable.
Use a cronjob or something which runs periodically and indentifies closed connections etc.; you can save the last action from each user and remove the lock if this times is greater than some time.
You could add a periodic (once a minute for example) AJAX call on your page, which keeps the lock alive.

Categories

Resources