We are using Vaadin 14 on a Tomcat9.
A session is immediately created in Tomcat as soon as the login page of our app is called up. If a lot of sessions have been created here (e.g. penetration test), the Tomcat takes a very long time to delete them. The CPU load also rises to 100%.
Is it possible to prevent the automatic creation of a session and only create one after the login?
We have reduced the session timeout in Tomcat so that there are not so many open sessions.
You can not use Vaadin (for your Login) and no sessions. Vaadin stores the
state of the UI in the session and there is no way around it:
A user session begins when a user first makes a request to a Vaadin servlet
by opening the URL of a particular UI. All server requests belonging to
a particular UI class are processed by the VaadinServlet class. When a new
client connects, it creates a new user session, represented by an instance of
VaadinSession. Sessions are tracked using cookies stored in the browser.
https://vaadin.com/docs/latest/advanced/application-lifecycle/#application.lifecycle.session
So you have to prevent this and not send your users directly into the
Vaadin application (first). In your case you could provide a login form
or some SSO gatekeeper to "protect" your resources.
Related
I have an enterprise application deployed on websphere 8.5.5.8, the application web side is composed of a single main page with multiple functionality tabs and every thing inside them uses ajax and iframes. Now, the issue is that I need to redirect the user to the login page immediately when the session expires. I tried to send ajax requests every second from my main page to the server to check for the session validity but the server treats that ajax requests url as secured resource causing the session to be refreshed and never expires. What are the possible work arounds for such scenario?
Yes, call to server will extend the session. As one of the solution, you could use javascript setTimeout method, initialize it to the session expiration time, and reset on your ajax business calls. If user will not do anything, then this timeout will invoke call to the logout page, which will invalidate the session and logout user.
I have a Spring 3 MVC app and part of the app requires a redirect to a 3rd party payment site and that payment site redirects back to my app after it's done. The problem is that Spring seems to create a new session instead of using the old one and erases all the data previously stored in the session. This creates massive problems for my app and I'm wondering if there is a way to preserve the session after external redirect?
Also, cookie are enabled on my browser and I indeed verified that the jsessionid value in the cookie changes after the redirect, indicating a new session overwriting the old one.
Can you provide the following info:
After coming back from the 3rd party site, does your app use a different domain/sub domain from what it uses before redirecting to the 3rd party site?
Is there a possibility that your session timeout value is so low that the session expires by the time the user returns to your app?
Does your app use frames having onunload events that invalidate the session?
I'm using spring security core in my grails application. My app has lots of ajax calls which call controllers. Controllers in turn, depend on some session variables to fulfil the request. I'm currently able to correctly display the ajax login form on session timeout. However, it creates a new session with only the newly created user object. All other objects stored in session are lost.
Is there a way to reload session variables after a user logs back in after session time out?
the purpose of the session scope is that it's wiped when the session ends. if you need to share data between sessions, you should rethink your architecture and persist the data in a database (server side), or a cookie (client side)
(moved from comments into an answer)
We are currently running into a problem with session time outs on one of our Spring web applications. The session never times out because we have a continuous ajax request polling the server. Is there a way to tell spring to ignore this request and not update the session so that time out works as expected?
You could run a timer, equal to your session timeout, along side the continuous ajax request that would log the user out if the page never refreshes. Another idea would be to host the URL that you are hitting in a separate web application on the same domain. I'm not sure if Spring has something built in for what you are doing.
I thought about this some more. You could implement your own session registry that ignores the Ajax URLs. Basically you wouldn't set the last accessed time for a user in the session registry if the URL matched one that you defined in your ignore list or filter defined in the Spring Security filter chain.
See SessionRegistry
I'm having a bit of trouble with Session timeouts in my Tomcat served web application. From reading over Tomcat's documentation, sessions expire after a time which can be configured in the web.xml file.
<session-config>
<session-timeout>30</session-timeout>
</session-config>
Quesion) Does this mean 30 minutes from when the session was created for the user? Or 30 minutes from when the session was last accessed?
If it is, as I originally thought, 30 minutes from when the session was last accessed, I don't seem to be seeing this behavior. My sessions seem to be lost as I'm using the site. Are there any other ways to configure session behavior besides this one setting? Is there something I'm missing?
Apache Tomcat/6.0.20
A session is started for the web browser when it connects to your application. Tomcat closes the session on the server when the maximum period of inactivity has passed (30 minutes).
This timeout is reset whenever there is activity on the web browser, such as refreshing the current page or navigating through other pages under the application control. Merely keeping a browser window open does not keep the session open because it does not generate any activity on the browser.
You can set it in the web.xml file as you described.
You can also set it for the session object by calling setMaxInactiveInterval(int interval)
This specifies the time, in seconds, between client requests before the servlet container will invalidate this session.
You have to make sure, that the cookies are enabled for your browser. Otherwise you create a new Session with each request. You should call the HttpServletResponse.encodeURL(String url) for each URL in your application. From the api doc:
"Encodes the specified URL by including the session ID in it, or, if encoding is not needed, returns the URL unchanged. The implementation of this method includes the logic to determine whether the session ID needs to be encoded in the URL. For example, if the browser supports cookies, or session tracking is turned off, URL encoding is unnecessary.
For robust session tracking, all URLs emitted by a servlet should be run through this method. Otherwise, URL rewriting cannot be used with browsers which do not support cookies."