I am using jboss server. As of now my users getting logged out when my server bounces. On that time time I won't allow them to log out. How to manage this session even my server bounces.
Whenever you restart your server all user sessions will be lost. If you still want to keep user sessions then use cookies to maintain user sessions instead of thing like HttpSession.
When user logged in keep its session and also maintain a cookie. When server restarts check if cookie present. If its there then allow user to access resources.
You can set cookie as: For this you have to include jQuery.cookie.js file in your webpage. After user logged in set its cookie. It will remain set unless you remove it or after specific time. When you restart server all sessions will be destroyed but cookie will remain in browser. So if there is no session but cookie present in browser you can automatically logged in user and create its session again.
$.cookie("test", 1);
To delete:
$.removeCookie("test");
Additionally, to set a timeout of a certain number of days (10 here) on the cookie:
$.cookie("test", 1, { expires : 10 });
To read back the value of the cookie:
var cookieValue = $.cookie("test");
Related
I have a project builded on java2se, spring, gradle and extjs. I have to implement ability for admin to log out remoted users. I have done this by using method SessionInformation.expireNow(). But additionally users have to see message "Session was aborted by admin" and I don't know how to do it. I tried to use Ext.Msg.alert(), but it works only when admin log out his own session. Message do not appears on remoted user's screen.
Actually you cannot send any messages to user. Instead set a flag - abortedByAdmin in the user's session info.
On each user's call check whether the flag is set. If yes respond with the message "Session was aborted by admin" and then clear the session.
use any date time variable in database and set it to server current date time at every 5 seconds and check that variable (database field) on every 5 seconds if current date time value and that database field value`s difference is >5 seconds than user did logged out otherwise he is logged in.
I have a Vaadin application that starts with a user login, but the problem is with Vaadin is the session handling as I can open two sessions from 2 different browsers with the same login which should not be possible to do. But I did not find any documentation regarding that besides this topic but it's not working properly as the data are not saved in the hashmap correctly.Anyone got the same problem?
Vaadin 7 works by default so that it creates everytime a new UI instance when a new browser tab is opened (or the tab is refreshed). You should store information about current user to VaadinSession or standard HttpSession and check in UI.init() if the session contains user information.
To store information into VaadinSession one can say:
VaadinSession.getCurrent().setAttribute("currentUser", currentUser)
HttpSession can be accessed as follows in Vaadin:
VaadinSession.getCurrent().getSession()
Please note that VaadinSessions are stored into HttpSession and HttpSession can contain multiple VaadinSessions if multiple Vaadin servlets are deployed from the same war file, and the user uses those at the same time.
How to prevent concurrent logins?
I keep track of logins using a self-generated login-token. A random string between 32 and 128 bytes in length that gets stored in a cookie and a backend database, typically under a user's account.
If User (A) shares her login credentials with User (B) a new login-token is generated for the new login and stored in a cookie and updated in the backed database.
If User (A) (who might for example already be logged in) attempts to perform an action while User (B) has just logged-in, User (A)'s session will be destroyed and she'll be redirected to the login screen after a backend test confirmed her login-token isn't a match.
Think of Sessions and Logins as two different things. Sessions can be generated all day long, but login STATE should be stored in a central store.
You can save all logged users to static Set. Static variables are globally shared. On start app, check whether the collection is already login.
I wanted to know how request objects behave when a session is time out.
To be more specific I came across to one scenario, for which I am not able to figure out what is happening exactly.
The scenario is like this,
I have a login page for my web application with username and password fields. I have set the time out to 10 minutes for my app.
I am on the login page doing nothing for 15 minutes, so the session is timed out.
Now on the login I put the user name and password and hit submit. The page is getting refreshed instead of submitting.
So can I say upon session time out,the request object also times out?
Since you do not add any code to your question, my explanations should be taken with a grain of salt.
IMHO, you are starting the session when a client requests the login page (before he submits the login page) and also you've set it so that a request belonging to a timeout session will be redirected to login page.
So if the result is not to your liking you have to change some of the above.
But again, for a better answer, you have to show us some code.
And for your question about request time out. No it did not time out. It only times out if the server does not respond in time (which is a different kind of time out)
I added some Java code partials which I am using to direct requests belonging to sessions which are timed out to Login page. By the way I also should add that requests which did not require a session is handled before this redirection.
HttpSession session = request.getSession(false);
boolean hasActiveSession;
if (session == null) {
hasActiveSession = false;
//...
}
//...
if (!hasActiveSession) {
request.setAttribute("alert","Your session has timed out");
request.getRequestDispatcher("/WEB-INF/Login.jsp").forward(request, response);
}
Suppose, a use login with username="ABC",
Some data is set in the session as follows:
session.setAttribute("mydata", mydata);
If the current session expires, the user is redirected with login page.
And now, if the user again login with same username ("ABC"),
Can we retrieve the previous session's attribute so that the user can continue his work?
Please suggest me the possible solution to retrieve the data of previous session.
Thank you.
I don't believe it is possible . However, you can always create a semaphore where your app can check against it whenever the user logs in and invalidate the session if there's already an existing user session running.
This semaphore could be as simple as a Java static variable if you are running in a non-clustered environment, or a better approach is to set the flag in a database table especially if you are running in the clustered environment.
Not possible, when the session expires everything it contains is dead. This is controlled by the container.
You could save session attributes to database beofre they expire, then add them back to the new session when user logs in again.
When a user logs in to my web app, I create a session:
session.setAttribute("SessionNumber","100");
And his username is added to a table named ONLINE_USERS.
Other Online users will be able to see him, they see all online users
When the user clicks on the log out button, I delete that row from the table, then I delete the session using:
session.invalidate();
But let's say the user existed the browser, his session will be gone, but the row will stay in the database as an online user, how to avoid this?
I'm using JSP-Servlets on Netbeans.
You can enable a custom HttpSessionListener to delete the table row upon session invalidation.
public class YourHttpSessionListener implements HttpSessionListener {
public void sessionCreated(HttpSessionEvent event) {
//put row in the database
}
public void sessionDestroyed(HttpSessionEvent event) {
//delete the row from database
}
}
Declare the listener in your web.xml:
<listener>
<listener-class>YourHttpSessionListener</listener-class>
</listener>
Note that there will be a delay between the moment the user exits the browser and his session expires on the server. But session expiration time is configurable. You should find a suitable expiration timeout: not too long so you don't display for too much offline users as online, but not too short to allow connected users an idle period.
I think this is a good trade off for a chat application developed with basic servlet and jsp technology.
As I understand you want see users that are operating on web site at the moment, problem with HttpSessionListener is that session can live quite long before its destroyed, so it can happen that the user is not using the web site long time when it is destroyed.
(see http://www.smartsoftwarebits.com/qaa/46-misc/82-how-to-set-session-timeout-for-tomcat )
Solution: You can add a column to the database where you will store the time stamp of the last request
which user made. To keep this column up to date use a servlet filter. ( http://docs.oracle.com/javaee/6/api/javax/servlet/Filter.html )
To clear online users add a timer job (for example using quartz) where you will delete rows (online users) that are older than (for example) 5 minutes (thus when last interaction is older than 5 mins.) ( http://quartz-scheduler.org/ )
Using this you will now quite precisely if there is user is "still there" or not.
In addition you can add a timer to client side javascript to make an ajax call periodically. You can handle this way the situation when user did not close the browser just were inactive for a while.
First thing is to catch the event when the browser is closed
You can try below code snippet in your jsp to hit a js function which will call an ajax function to hit server side component. Then simply use the session API to invalidate the session and add the code to delete the record from the table.
window.onbeforeunload = WindowClose;
function WindowClose() {
//Write a AJAx request here to hit the server side servlet to invalidate the session
}
Or use
<body onunload="WindowClose(); >
In the server side code , use
HttpSession session = request.getsession();
session.setMaxInactiveInterval(0); //or session.invalidate();
It will be good approach to define default session timeout value in the web.xml so that incase browser crashes, sessions will invalidate after the stipulated amount of time has passed.
<session-config>
<session-timeout>30</session-timeout>
</session-config>