I have set <session-timeout> as 30 min in web.xml. If I am not wrong this one supposed to logout the session in 30 min only when the session is inactive. But in my application user is logged out in 30 min irrespective of activity. can anyone please help me with this? I am not where the issue is.
Check to see that you are not getting a new session with every request. An easy way to do this is to store an Integer in the session and increment it with every request. Then add the value of the integer (as an Integer or a String) to the response and display it on the page (display may be adding it it the page as a hidden field if you want).
There can be lots of reasons that may cause unexpected session timeout and without further information, all I can give is just some pointers and suggestions.
Do you use a cluster? if you do, please check your load balancer's algorithm and settings. Does the user request being forwarded to a different server in the cluster after 30 minutes? Do you have session replication configured in your cluster? Another easy way to make sure that load balancer is not the culprit is to shut down all other servers in the cluster except one. Thus the requests are guaranteed to be sent to the same server. Then you can check if the 30 minutes timeout irrespective of user activities still happens. Server access log might also helps you to see if the user is bounced between servers.
If you have any browser plugin such ieHTTPHeaders installed, please check the session cookie sent by each request and to see if there is any change.
Another question is that if you change the 30 minutes timeout in web.xml to 15 minutes, does the user timeout every 15 minutes irrespective of user activity?
Related
We wrote some jquery and java code to support passing a cookie with the expected session expiration time to the client, which then prompts the user two minutes before to give them the chance to extend their session. If they fail to do so in time, they get forwarded on their next button click to a landing page.
Works great...most of the time. Every so often, a tester trying to test this will wait 4 minutes after the prompt comes up, click a button only to find that their session is still alive despite waiting 2 full extra minutes longer than they should have had to for the session to die.
Is the spec just not that precise with when sessions expire? Should we sort of blow this off as not a big deal? we're using ibm's websphere as our app server.
WebSphere has a setting called HttpSessionReaperPollInterval that controls this behavior.
Use this property to specify, in seconds, a wake-up interval for the
process that removes invalid sessions. The value specified for this
property overrides the default installation value, which is between 30
and 360 seconds, and ensures that the reaper process runs at a
specific interval.
https://www.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.base.doc/ae/rprs_custom_properties.html
Although the property can be adjusted, it may still not make sense to change the default value in your scenario.
I assume you set the session expiration time to two minutes on the server. That is, not the cookie expiration time.
The session should expired after two minutes. However the session can come back alive (but empty) after expired if application (click button) called getSession(true) instead of getSession(false).
If this isn't the case, can you enable the session trace : com.ibm.ws.session.*=all
I am trying to maintain user login session(1 hr) in my Android application. When user logs in, I am receiving login time(StartTime) and session end time(Timemout) from server.
I am comparing received login time + session end time with my current device time using System api (System.currentTimeMillis()).
My problem is that user can manipulate this System.currentTimeMillis() by changing location or by changing clock time in their device and can have infinite login session.
I also tried using SystemClock.elapsedRealtime() which is dependable on boot time. Where user can reset or manipulate the time by rebooting the device.
Is there anyway to maintain 1 hr login session?
StartTime and Timeout time receiving from server.
((startTime + timeout) > (System.currentTimeMillis()/1000))
or
((startTime + timeout) > (SystemClock.elapsedRealtime()/1000))
The goal here is to make sure your sessions do not exceed a certain length of time regardless of any date/time changes on your device's local time. The one constant here is your server's time so let's leverage that.
On app launch, make your app query the server to see if it has an active session. If not, present the user with a login screen.
If there is an active session, the server should return the remaining duration of that session. This means that your server will keep track of which devices logged in and when the did so. That way, when an authentication request comes in, it checks its listing for successful logins in the last hour and returns the difference between the current time and the last login time. If there are no successful logins in the last hour it fails the request
App side, when an authentication request succeeds we start a timer for the length of time returned from the server. You can implement this yourself, or you can just use a ScheduledThreadPoolExecutor. Regardless, your timer cannot use System.currentTimeMillis() in it's implementation or it will be affected by changes to the local time. Refer to this answer for more info on that.
When the timer finishes, you can then lock the user out and force them to login again, or simply let them stick around until the app is shut down. That is up to you and your priorities regarding user experience and security.
In short, the app exists in one of two states at all times. Either it is unauthenticated and waiting for the user to login, or it is authenticated and on a timer to when it will lock the user out again. This way, you don't have to ping your servers quite so often to check session status
As mentioned in the earlier link, System.nanoTime() is a good tool to use in a timer that should not be affected by changes in the local time. More details in the java docs
This can be handled at server side. You may create a session on the server for the user which will be timed out after 1 hour (specified in requirement).
In this case you can notify user about session logged out in any of these ways:
If any requests comes after session timed out then it will notify user as session logged out.
The moment session gets expired, server can send notification to client as session logged out.
I am implementing a thread based application where i will be connecting to Alfresco continuously. I want to avoid a session timeout error so wanted to know at what interval should i clear the session or create a new one. And how long can i continue with the same instance of the session with me.
If you check the repository.properties you'll find the following property
# If authentication.ticket.ticketsExpire is true and
# authentication.ticket.expiryMode is AFTER_FIXED_TIME or AFTER_INACTIVITY,
# this controls the minimum period for which tickets are valid.
# The default is PT1H for one hour.
authentication.ticket.validDuration=PT1H
You can change this session to whatever you want, but it will be applied globally. I've max upped this to 24 hours, so you can decide for yourself.
The other way is implementing a pooling method with get's a new ticket after every hour.
From a servlet, how can I set a cookie that will never expire?
I have tried doing it like this:
Cookie cookie = new Cookie("xyz","");
cookie.setMaxAge(-1);
But when I do it this way, it expires as soon as the user closes the browser.
If you call setMaxAge() with a negative number (or don't call it at all), the cookie will expire at the end of the user's browser session. From the documentation:
A negative value means that the cookie is not stored persistently and will be deleted when the Web browser exits.
The typical approach for cookies that "never" expires is to set the expiration time some far amount into the future. For example:
cookie.setMaxAge(60 * 60 * 24 * 365 * 10);
Will set the expiration time for 10 years in the future. It's highly probable that the user will clear their cookies (or probably just get a new computer) within the next 10 years, so this is effectively the same as specifying that it should never expire.
Keep in mind that cookies don't actually have a concept of a "maximum age"; the way this is actually implemented is Java adds the specified number of seconds to the server's current system time, then sends that time as the expiration time for the cookie. So, large mismatches between server time and client time can complicate things a little - the best you can do (at least, easily) is ensure your server clock is set correctly and hope the clients' clocks are set.
Setting the maximum age: You use setMaxAge to specify how long (in seconds) the cookie should be valid. Following would set up a cookie for 24 hours.
cookie.setMaxAge(60*60*24);
I have a application with session length set to 15 minutes in web.xml.
I am using RTeditor on one screen, in RTeditor the user can enter data continuously for 30 minutes but main application session is going to expire.
The challenge is I want to maintain the main application session while using editor window. How can I do this?
Since you need to let the application know that you are still using it, i think a timer would do the trick. Use a timer that sends a dummy request (just calling a servlet/controller that returns anything) when the RTeditor is open every 5-10 min to keep the session alive.
OR to avoid the obvious mistake that can happen (The User might leave the RTeditor screen open without using it and the session would never end), check certain (or all) fields to see if they are dirty every 10 min, if they are dirty, then send the dummy request to extend the session.
Edit: Dont know if there are better ways of handling this, but this is how i would do it. (though i am no expert) :P.. Hope it helps!