Time to timeout session - java

Is there a way to find out how long the session of the user remains valid ( until it times-out)?
I would like to show this time on a page.
I know how to set the timeout, but could not find how to get the current time to time-out.

I think you should track the time with plain JavaScript in the browser and reset with every Ajax/WebSocket call.
You cannot track it at the server because to check the time you need to make a request and this will renew the session.

There is a getLastAccessedTime() on the session object, that might help.

Related

How precise is websphere's session expiration?

We wrote some jquery and java code to support passing a cookie with the expected session expiration time to the client, which then prompts the user two minutes before to give them the chance to extend their session. If they fail to do so in time, they get forwarded on their next button click to a landing page.
Works great...most of the time. Every so often, a tester trying to test this will wait 4 minutes after the prompt comes up, click a button only to find that their session is still alive despite waiting 2 full extra minutes longer than they should have had to for the session to die.
Is the spec just not that precise with when sessions expire? Should we sort of blow this off as not a big deal? we're using ibm's websphere as our app server.
WebSphere has a setting called HttpSessionReaperPollInterval that controls this behavior.
Use this property to specify, in seconds, a wake-up interval for the
process that removes invalid sessions. The value specified for this
property overrides the default installation value, which is between 30
and 360 seconds, and ensures that the reaper process runs at a
specific interval.
https://www.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.base.doc/ae/rprs_custom_properties.html
Although the property can be adjusted, it may still not make sense to change the default value in your scenario.
I assume you set the session expiration time to two minutes on the server. That is, not the cookie expiration time.
The session should expired after two minutes. However the session can come back alive (but empty) after expired if application (click button) called getSession(true) instead of getSession(false).
If this isn't the case, can you enable the session trace : com.ibm.ws.session.*=all

How to maintain user login session?

I am trying to maintain user login session(1 hr) in my Android application. When user logs in, I am receiving login time(StartTime) and session end time(Timemout) from server.
I am comparing received login time + session end time with my current device time using System api (System.currentTimeMillis()).
My problem is that user can manipulate this System.currentTimeMillis() by changing location or by changing clock time in their device and can have infinite login session.
I also tried using SystemClock.elapsedRealtime() which is dependable on boot time. Where user can reset or manipulate the time by rebooting the device.
Is there anyway to maintain 1 hr login session?
StartTime and Timeout time receiving from server.
((startTime + timeout) > (System.currentTimeMillis()/1000))
or
((startTime + timeout) > (SystemClock.elapsedRealtime()/1000))
The goal here is to make sure your sessions do not exceed a certain length of time regardless of any date/time changes on your device's local time. The one constant here is your server's time so let's leverage that.
On app launch, make your app query the server to see if it has an active session. If not, present the user with a login screen.
If there is an active session, the server should return the remaining duration of that session. This means that your server will keep track of which devices logged in and when the did so. That way, when an authentication request comes in, it checks its listing for successful logins in the last hour and returns the difference between the current time and the last login time. If there are no successful logins in the last hour it fails the request
App side, when an authentication request succeeds we start a timer for the length of time returned from the server. You can implement this yourself, or you can just use a ScheduledThreadPoolExecutor. Regardless, your timer cannot use System.currentTimeMillis() in it's implementation or it will be affected by changes to the local time. Refer to this answer for more info on that.
When the timer finishes, you can then lock the user out and force them to login again, or simply let them stick around until the app is shut down. That is up to you and your priorities regarding user experience and security.
In short, the app exists in one of two states at all times. Either it is unauthenticated and waiting for the user to login, or it is authenticated and on a timer to when it will lock the user out again. This way, you don't have to ping your servers quite so often to check session status
As mentioned in the earlier link, System.nanoTime() is a good tool to use in a timer that should not be affected by changes in the local time. More details in the java docs
This can be handled at server side. You may create a session on the server for the user which will be timed out after 1 hour (specified in requirement).
In this case you can notify user about session logged out in any of these ways:
If any requests comes after session timed out then it will notify user as session logged out.
The moment session gets expired, server can send notification to client as session logged out.

Is it possible to set expiration time for HttpSession (Jetty impl)

I'm using Jetty's implementation for javax.servlet.http.HttpSession and I need to set expiration time in epoch time (unix time). I've googled it and didn't find any appropriate results. Is there any possibility to do so out of the box? Or is there any easy way to do this?
Sessions don't have an expiration time. They have an expiration timeout. After N time of inactivity, the session expires.
Because of this, you'll be looking at implementing your own logic if you want to have your session expire at specific "wall clock time".
A simple implementation that comes to mind would be to put an attribute in the session containing the time of expiration, then having a filter check that on the server side.

I want maintain main application session while using editor window with session limit

I have a application with session length set to 15 minutes in web.xml.
I am using RTeditor on one screen, in RTeditor the user can enter data continuously for 30 minutes but main application session is going to expire.
The challenge is I want to maintain the main application session while using editor window. How can I do this?
Since you need to let the application know that you are still using it, i think a timer would do the trick. Use a timer that sends a dummy request (just calling a servlet/controller that returns anything) when the RTeditor is open every 5-10 min to keep the session alive.
OR to avoid the obvious mistake that can happen (The User might leave the RTeditor screen open without using it and the session would never end), check certain (or all) fields to see if they are dirty every 10 min, if they are dirty, then send the dummy request to extend the session.
Edit: Dont know if there are better ways of handling this, but this is how i would do it. (though i am no expert) :P.. Hope it helps!

Session logging out in 30 min irrespective of activity

I have set <session-timeout> as 30 min in web.xml. If I am not wrong this one supposed to logout the session in 30 min only when the session is inactive. But in my application user is logged out in 30 min irrespective of activity. can anyone please help me with this? I am not where the issue is.
Check to see that you are not getting a new session with every request. An easy way to do this is to store an Integer in the session and increment it with every request. Then add the value of the integer (as an Integer or a String) to the response and display it on the page (display may be adding it it the page as a hidden field if you want).
There can be lots of reasons that may cause unexpected session timeout and without further information, all I can give is just some pointers and suggestions.
Do you use a cluster? if you do, please check your load balancer's algorithm and settings. Does the user request being forwarded to a different server in the cluster after 30 minutes? Do you have session replication configured in your cluster? Another easy way to make sure that load balancer is not the culprit is to shut down all other servers in the cluster except one. Thus the requests are guaranteed to be sent to the same server. Then you can check if the 30 minutes timeout irrespective of user activities still happens. Server access log might also helps you to see if the user is bounced between servers.
If you have any browser plugin such ieHTTPHeaders installed, please check the session cookie sent by each request and to see if there is any change.
Another question is that if you change the 30 minutes timeout in web.xml to 15 minutes, does the user timeout every 15 minutes irrespective of user activity?

Categories

Resources