In my application there is use of Jhipster , Spring Boot , Spring Security , Rest API , Angular js , Spring boot.
I know that we can set session timeout value in yml file.
But what i wanted to understand is how is the time interval calculated in such applications.
Ex: Suppose session timeout= 60 secs.
User logs in and keep the browser idle for 70 seconds. Now after 70 seconds when the user hits some button. A pop is displayed. So I wanted to know where is the calculation for difference in the two rest end points calls is done because after session timeout interval if i hit any api i get session timeout.
The session timeout is computed by the embedded servlet engine (Jetty, Tomcat or Undertow), it keeps a collection of all active sessions and the time of last access.
On first request, a session object is created in server and a session cookie containing its id is sent back in response, server also stores in session object the time of last access.
When your second request is processed, the server extracts the session id from the session cookie then finds session object matching this id and compares current time with last access time.
Related
In my MVC Core application I'm using sessions to track logins. This works great, but is an issue when my web application goes idle/restarts, as the sessions clears and all users gets logged out. I've modified my application to store the session data in a database caching-table, through calling and setting services.AddDistributedSqlServerCache(options) & services.AddSession(options) in the Startup ConfigureServices method, as well as calling app.UseSession() in the Configure method.
I seem to have done everything correctly; when a new client for the first time sets a session value it's saved in the caching-table, and when Sesion.Get is called the session ExpiresAtTime table-value updates.
So, considering that the session data is saved to the table, why is it not being grabbed on restarts? It isn't a cookie issue, the cookie expiration value is set to 10 years, and the session idle timeout value is set to 2 weeks. It seems like the Session data is just being handled through IIS memory, yet is being saved to my caching db-table, which I find very weird.
How to get the session timeout in Siteminder.In our application user will access via login to the Site minder. One peculiar problem is that if a user left idle in our application for about 20 minutes then after 20 minutes when he tries to access or do something it will give fatal exceptions
How to get the session time out from Siteminder.I am using Servlet filters for authentication.
In my application I use web services to get required information. To actually use this services you have to login first, you get your token - encrypted password, afterwards this token is attached to SOAP requests to identify current user. The thing is, when you do not use service for 15 minutes, your token changes and when you are trying to obtain another bunch of information from the server it denies old token. As a result app do not get required information and throws a heap of errors.
How to send user (load Login.axm) to Login page when token has been changed?
Thank you, Shay Shmeltzer for your answer.
How I solved this problem:
1) First I read how does sessions work in my particular case. I used stateless session which means -
A new session is opened for an initial request and the session remains
open for subsequent requests. Relogin occurs automatically
(transparent to the user) if the session is closed. UsernameToken and
PasswordText must be included as SOAP headers in the initial request
to open a stateless session.
Stateless session management is the best method to use for high-load
Web service applications. Using Stateless mode, the application
provides the username and password only once, that is for the initial
request. A session is opened on the server and is dedicated for this
user.
In the response Siebel Business Applications return the SessionToken,
which is an encrypted string containing the information about
username, password, and timestamp. For subsequent requests the
application must use the SessionToken to reuse the session.
For security reasons SessionTokens are regenerated for each response.
The application must provide the last received SessionToken for the
next request.
The SessionToken-Siebel session map is maintained in the Siebel Web
Server Extension (SWSE); based on the SessionToken value SWSE sends
the request to the correct Siebel session (task).
Although the session is persistent, authentication happens for each
request (SWSE decrypts the UserName and Password from the
SessionToken).
the main problem was :
NOTE: Reconnecting or automatic logging in again will only happen if
the token has not timed out. If it times out, then the user must
manually log in again. Token timeout must be greater than or equal to
session timeout. For more information on session token timeout, see
Session and Session Token Timeout-Related Parameters.
in my case standard session token live time was 15 minutes.
That is why I included counter in my code and checked it before each request. If counter time > 15 minutes, I sent log in request to the server to get new session token. The reason, I did not change current page to log in page straight away after the counter exceeds 15 minutes is: place in code, where I check counter is already initiated by the bindings to get required value to render it, so if your token has expired you will get a heap of errors. That is why firstly I renew the session sending log in request, get active session token and put it into the last request which is requested by binding. After app renders page without any errors, it shows pop up message "Session has expired" and goes to log in page.
You can programmatically set the soap header being sent to your SOAP service from ADF Mobile - http://docs.oracle.com/cd/E37975_01/doc.111240/e24475/amxwebservices.htm#CHDIBIIE
We are currently running into a problem with session time outs on one of our Spring web applications. The session never times out because we have a continuous ajax request polling the server. Is there a way to tell spring to ignore this request and not update the session so that time out works as expected?
You could run a timer, equal to your session timeout, along side the continuous ajax request that would log the user out if the page never refreshes. Another idea would be to host the URL that you are hitting in a separate web application on the same domain. I'm not sure if Spring has something built in for what you are doing.
I thought about this some more. You could implement your own session registry that ignores the Ajax URLs. Basically you wouldn't set the last accessed time for a user in the session registry if the URL matched one that you defined in your ignore list or filter defined in the Spring Security filter chain.
See SessionRegistry
In my web application(jsp/servlet) there is a web page which create Ajax request periodically to grab the latest data from the server.This page is the main page which is always open once user log in to the system while other pages open in new browser windows(due to user events).
I have to invalidate the user session which idle for more than 30 minutes. For that I use Tomcat session timeout feature. But the thing is most of the time users session which are idle for 30 min are not invalidated.
But some time user sessions are invalidated by Tomcat after 30 min. I think this is because the main page send Ajax request periodically without idling the session.
I want to know that is Tomcat can't identified the auto generated request from user event and invalidate session properly.Please give an ideas on this,it will be very helpful for me.
Dinesh
I don't think you have a choice here - if Tomcat identifies and ignores the AJAX request, you'll lose the functionality it provides for you