I am Switching between two different Dynamic web application through Links.But if i am working on one application for long time then others application session expires and i got redirected to login page, Is there any method to keep session alive beyond maxInactive time interval while i am working on other application page
There are two options-
If both applications requires single sign on feature (like we login to gmail, then all google services are accessible), you can use tomcat clustering and share session accross cluster. Both your apps will be part of the cluster.
A simple work aroud would be to set a heartbeat ajax request in each application. Use JavaScript's timeout function and send ajax request to servlet after a fix interval.
You can anyway update MaxInactiveInterval of server at runtime, there is this method setMaxInactiveInterval available for HTTPsession class object.
Hope this helps. :)
I can think of one option here that is to manage your own Session Pool. You can save the session object in ArrayList<HttpSession> whenever you create new session. And send that session id to your another application. When you return to previous app, you send back session id. And if you find session dead then find that session in your Session Pool by session id and create new session. In new session set attributes of the previous session object.
Hope this might be useful.
Related
First, i know that there are to components of handling user access to restricted pages in web appliations.
Authentification is about identifying a user.
Authorization: is about determining what parts of the application an authenticated user has access to
I belive this is made with session id.
But does the client have to send the session id with every request he makes? If not how can he be authentified? Or is a cookie used for this?
Sessions exist on the server. They are sometimes (usually) identified by a cookie.
The session can contain a multitude of information that is relevant to the session. E.g. shopping basket.
Server gets the cookie. Looks up the session. Has it timed out? Is it from the same IP address? From the same browser perhaps? Then use the stored information for the generation of the web page
Session still among pages, but it would be destroyed when you close your browser
Cookies still sometime when the time expires
How to get session timeout of Domino server in XPages-SSJS. I want to prompt user to save his/her data before session expires. Thanks
Servers only communicate with users when those users make a request to the server.
Because of this, servers cannot send information to the user if they haven't requested it.
For example:
A user requests a page from a server.
The server sends that page back to the user, and creates a session
for that user. The session is set to expire in 5 minutes.
Those 5 minutes are up, and in the meantime the user hasn't requested
any further pages. So the users session ends, but because the user
isn't making any requests, the server has no way of communicating this
to the user.
This is just the way that HTTP traffic is designed to work. There are ways around this however, and by altering the example above I will show you one of the easiest ways:
A user requests a page from a server.
The server sends that page back to the user, and creates a session
for that user. The session is set to expire in 5 minutes. The page that the
server sends back has a javascript setTimeout function which is set to fire off just before the session of the server expires.
Those 5 minutes are up, and again, the user hasn't requested
any further pages. So the users session ends and the server has no way of communicating this
to the user. However, javascript on the page knows that the session on the server is due to expire, and fires off an alert to tell the user to save their work.
In SSJS you can get the setting of the SessionTimeout with the following code:
facesContext.getApplication().getApplicationProperty("xsp.session.timeout", "30");
But this is a static value (in minutes). The session expires in X minutes (30 is default) after the last request of the current session.
Well the timeout is reset with every interaction between server and client. So what could be done is basically have a count down on the client side that resets after every new request. And that could also be used client side to trigger a save interaction for a defined time prior to the actual session timeout.
Whether this makes sense or not is debatable... Alternatively auto-saving could be implemented aswell.
Hi I am using expressjs for my web application, and I use the session middleware, my question is that how I can do something right before the session expire?
For example, I store something in the session, and I set the req.session.cookie.maxAge to 60000(1 minute), when the session timeout, I want to save the data in the session to disk, how I can do this? I checked the API and the destroy function only support callback...
Thanks!
Assuming you're using connect-session there's nothing like session expiration event.
Sessions expire either :
on the client (when cookie gets outdated). There's no way to know about it until a request is made so there's a danger that the event will never get triggered.
in the session store, usually using some form of time-to-live. Not all session stores support events, so notification can't be done in general.
You can, however try implement your own check using setTimeout() - when it times out check if the session's expiration date is sufficiently close to now and do whatever you need to do.
I am using Spring acegi security for single sign on on multiple applications. I need to extend session timeout at client side if user writing something on browser too. If user opended multiple sessions or browsers then i need to consider active session on all the sessions he opened. If he is active then i should not log off him eventhough he is inactive in another sessions.
Please suggest me any ideas how to track and know at the client side too.
Any idea is greatly appreaciated. Thank you.
Running application app1 in two tabs say tab1 and tab2.Timeout is 10 minutes. So we implemented timeout functionalit in java script which is at client side. This code gives Confirm box after 10 min. If user says continue, we are extending the session by firing the alive url. This working if application running in a single tab. Same applciation app1 open in multiple tabs say tab1,tab2. Here applicaiton app1 opened in two tabs but single session. We are woking the application which is opened in tab2 and not using applciation in tab1. So application in tab1 is inactive for 10 min.then application in tab1 giving confirm box and we dont answer to that confirm box tab2 will make applciation to log out. So what is the solution for not making logout as we are working application on Tab2. Any ideas? How to track whether application in active in other tabs?
This is not straigt forword answer. (Since I do not think there is a solution for that)
you could try to fire a pixel(*) between the application and by that extends the session time.
lets say that you have:
app1, app2, app3
the user logged in to app1 and app2 and he is working only on app1. if you fire a pixel from his browser to app2 every http request he made on app1, he suppose to be alive on app 2 as well.
I think that if you fire the pixel every 2 minutes between the applications app1,2 and 3 you can save the session alive between the apps.
I have done this twick in PHP application, it wans'nt so easy, but it is doable.
*pixel - it is a hidden http request that runs a script in the serverside. can do it via ajax, img, script src="", iframe and more.
You should be able to store a lastActivity timestamp in localStorage
User activity in any tab updates the lastActivity timestamp
Whenever the timer expires in any tab it should check the lastActivity value before prompting the user. If lastActivity is older than timeout, prompt the user. If not, adjust the remaining time to show prompt
The simplest thing would be to associate the sign-in session with a shared domain. Say you have app1.domain.com, app2.domain.com, app3.domain.com, BUT you have the SSO take place on domain.com, and they all share that session cookie. This is just a matter of setting the domain on the session cookie-- I believe you can do this in the configuration. Anyway, this pretty easy to do, so if this works with your problem, go for it. (Maybe there's some tricky way to do this without that domain hierarchy, but I'm not sure what it is.)
If that isn't workable, you may need a different way to store sessions. My first thought would be to put the sessions in the database. With these, you can synchronize and centrally manage the timeouts. This may require a little bit of custom code-- but it shouldn't be that much.
Not sure this is applicable, but I wrote my thoughts on implementing timeout on the client side as well.
Modified code in javascript to fire ajax request to server and finding the latest activity.
If latest activity is less than 10 mins then there is no logout.
I have a web site in ASP 3.0. This web site initialize authentication by session on the server, and retreive the id of the user in the session. A multiple clients access to the web site with no problem.
Some of them lost there session. I think is due to a client configuration with the sessionID token or someting like that.
Could some body tell me where are stored the sessionID on the client machine.
Thanks.
I read this post and just need to know what will be the name of the cookie ? Is it the same cookie that we can read/write in code ?
I try to find a way to identify, the sessionID storing on the client machine and the connected session on the server. Did a way to do that ?
The server allocates a session and stores its ID in a cookie, known as the session cookie. The ASP Session cookie has this format:-
ASPSESSIONIDACSSDCCC=APHELKLDMNKNIOJONJACDHFN
Note that last 8 characters in the name of the cookie will vary from one instance of your application to the next. Hence to even discover the cookie you need to enumerate all the cookies looking for any that match the pattern ASPSESSIONIDxxxxxxxx.
I'm not sure what you could usefully do with this cookie once you have acquired it.
Session ID's can be stored in multiple ways on the client but it's the server configuration that specifies the exact way. If possible, cookies will be used. Otherwise, the session ID might be part of the URL or be part of the web page itself as a hidden form variable.
Also, session ID's are often created to time out after a while. If a user isn't contacting the server within e.g. 20 minutes, the session expires and a new session would be required.