I am facing problem with the session management in lift application. I am managing session using one SessionVar object which I am setting everytime I am logging in and and checking it for any application request. And it is working fine.
I have set a session timeout configuration in my web.xml file. Such that my session will expire after 5 min(inactive).
The session timeout is working fine for first time and my session is getting expired successfully after 5 inactive min. But When I refresh(in the same browser) the page and login again, my session is not getting expire again after 5 min. Even it doesn't get expire for long.
I analysis that it was using the same JSession id which was expired earlier.
What am I doing wrong?
Thanks,
Puneet
Related
TLDR version: I wanted the session in sails to expire at a specific given time or date or end of day.
I gave up trying to figure out how to expire a session in sails/node at a given time.
the cookie.maxAge option in the sessions.js seems to be updating the TTL of the session of the key in redis on a given millisecond. So I tried setting each maxAge by running
req.session.cookie.maxAge = Utility.getEndOfDayMilliseconds();
req.session.save();
I created a utility that gets the value of the milliseconds from the current time to end of day.
It works when I am idle in one screen, but when I navigate on pages, the TTL on a session key in redis gets refreshed every pag navigation and the maxAge gets back to the originalMaxAge. I don't wan't that to happen.
How does one do this? The cookie that is set in my browser is correct but I can change the expire value at a future date so that my session does not expire and keep on refresh a page so that the TTL will refresh.
Thanks!
you may find an answer in the official Sails website documentation > concepts > sessions.
I am Switching between two different Dynamic web application through Links.But if i am working on one application for long time then others application session expires and i got redirected to login page, Is there any method to keep session alive beyond maxInactive time interval while i am working on other application page
There are two options-
If both applications requires single sign on feature (like we login to gmail, then all google services are accessible), you can use tomcat clustering and share session accross cluster. Both your apps will be part of the cluster.
A simple work aroud would be to set a heartbeat ajax request in each application. Use JavaScript's timeout function and send ajax request to servlet after a fix interval.
You can anyway update MaxInactiveInterval of server at runtime, there is this method setMaxInactiveInterval available for HTTPsession class object.
Hope this helps. :)
I can think of one option here that is to manage your own Session Pool. You can save the session object in ArrayList<HttpSession> whenever you create new session. And send that session id to your another application. When you return to previous app, you send back session id. And if you find session dead then find that session in your Session Pool by session id and create new session. In new session set attributes of the previous session object.
Hope this might be useful.
I'm using Node.js to implement a system to detect the user is online no not.
Here is the way I'm using:
Set every user's default session MaxAge to 30 seconds
Let each user sends the server a signal to prolong their session every 20 seconds.
Once they come offline and stop sending signals, their sessions expire.
However, I found another post on stackoverflow says that to detect the user offline, we can do:
req.session.cookie.expires = false;
Then the session will automatically expire once the user close the browser???
How to make the session expire after a browser close in node.js with express?
Can anyone tell me if this is a correct solution? Thank you!
How to get session timeout of Domino server in XPages-SSJS. I want to prompt user to save his/her data before session expires. Thanks
Servers only communicate with users when those users make a request to the server.
Because of this, servers cannot send information to the user if they haven't requested it.
For example:
A user requests a page from a server.
The server sends that page back to the user, and creates a session
for that user. The session is set to expire in 5 minutes.
Those 5 minutes are up, and in the meantime the user hasn't requested
any further pages. So the users session ends, but because the user
isn't making any requests, the server has no way of communicating this
to the user.
This is just the way that HTTP traffic is designed to work. There are ways around this however, and by altering the example above I will show you one of the easiest ways:
A user requests a page from a server.
The server sends that page back to the user, and creates a session
for that user. The session is set to expire in 5 minutes. The page that the
server sends back has a javascript setTimeout function which is set to fire off just before the session of the server expires.
Those 5 minutes are up, and again, the user hasn't requested
any further pages. So the users session ends and the server has no way of communicating this
to the user. However, javascript on the page knows that the session on the server is due to expire, and fires off an alert to tell the user to save their work.
In SSJS you can get the setting of the SessionTimeout with the following code:
facesContext.getApplication().getApplicationProperty("xsp.session.timeout", "30");
But this is a static value (in minutes). The session expires in X minutes (30 is default) after the last request of the current session.
Well the timeout is reset with every interaction between server and client. So what could be done is basically have a count down on the client side that resets after every new request. And that could also be used client side to trigger a save interaction for a defined time prior to the actual session timeout.
Whether this makes sense or not is debatable... Alternatively auto-saving could be implemented aswell.
Really weird authentication problem going on - hope someone can help!
The Domino Web Server Log database shows all the requests a particular user is making for pages in an application I look after. The application is XPages-based and the user is regularly pressing Save on the document she is editing (every few minutes). The save does a full update.
The LTPA token is valid for 30 minutes - I assume however that every time the user performs a full update, the 30 minute token is renewed?
However, when looking at the logs, a save of the document at 09:05 shows the Remote User by name, another save at 09:07 still shows the user by name. The next save at 09:11 shows the remote user by IP address instead, and when you look at the log entry in more detail, the server has replied with 401 UNAUTHORIZED (The client is not authorized to access data). This has of course caused the user's browser to lose the work they had open at the time.
The Cookie on each log entry shows :
LtpaToken=AAECAzUwOUI2RjRCNTA5Qjc2NTNDTj1Bbm5lIExhdm91ZS9PVT1VSy9PPVJVSyvsCs5c4tITD9elgI0BCN5CnZ0O; SessionID=DBDFDKDGTI
The same LTPA Token and session ID for entries where the save document worked, as well as where it failed.
Unsurprisingly, they have then refreshed the session by closing the web page and going back in to it following the error and they get a new LTPA token and session ID.
The LTPA Token validity setting of 30 minutes I refer to is defined by our admins in a Web SSO Configuration document for the server, in the "Server\Internet Sites" view in the NAB. It's the Token Expirations (Minutes) setting. Am I completely misunderstanding this setting - should the timeout be renewed everytime the user does a full submit to the server? Or is something else going on here?
I don't think the token is renewed. It times out no matter if the user is active or not.
You could increase the expiration timeout to a reasonable high value and then add a lower minimum timeout to ensure that sessions doesn't timeout too soon.
Here's an example where expiration is set very high and timeout is set to 2 hours: