My web-application developed on Vaadin - Servlet using Tomcat server.
When user clicks logout link, session timeout error is coming and then after some time it is automatically redirecting to login page.
Previously the redirection was so fast that user was unable to see this timeout error.
But now after some version update in Vaadin, user is able to see this error.
Suggest a way to resolve this issue.
I am thinking of finding a way to stop the browser from showing the error message for session-timeout , when the session is timed out using logout button.
How to achieve it. Or is there a better solution you can suggest?
Thanks in advance.
Before invalidating the session disabling the Push Mode.
Page.getCurrent().setLocation(location);
UI.getCurrent().getPushConfiguration().setPushMode(PushMode.DISABLED);
session.getSession().invalidate();
This will work fine.
The problem comes because support for Push is not fully implemented by all servers. So on some servers this problem may not arise.
With above logic you can also set Transport.LONG_POLLING which works fine for all servers.
Related
Whenever I run the login/logout script, I get You have already logged in. How to resolve this?.
when I try to login manually. I got this popup message.
This user is already logged in. Do you want to terminate other active session.
So, how to handle this situation in JMETER.
enter image description here
Please implement the logout request and after that clean the cookie.
Follow the instruction as mentioned in
Jmeter Clear cookies after each http request
It means that logout doesn't really logs you out, not knowing the details of your test/application it's not possible to come up with a comprehensive solution, in the meantime you can try unticking Same user on each iteration on Thread Group level:
or ticking Clear cookies each iteration box in the HTTP Cookie Manager/HTTP Cache Manager
If your session is being orchestrated by a custom Header - remove it from the HTTP Header Manager somehow
I have set up an application load balancer on AWS. I am able to access my site but when I try to log in, I was redirected to a page with the message "The page has expired due to inactivity. Please refresh and try again I try taking out the ALB and the site work normally but when put on ALB then I keep getting the inactivity page.
I am using Laravel 5.5, hosted on ubuntu 16.04
I set my session and cache on database hope it will solve the issues but I still got the same problem.
I tried to turn off VerifyCsrfToken middleware, I wasn't redirected to the inactivity page but it keeps redirecting me back to the login page.
I managed to find a solution to my problem. My APP_KEY was different for all 3 servers, therefore, causing the problem. After changing it to the same APP_KEY in the .env then everything is working fine.
Hope this will help anyone who encounters a similar problem.
Can somebody please let me know what are the reasons for your authentication to die suddenly, even when you are working on an application without any idle time? Both with and without AJAX calls. And what are the different reasons for getting a 302 redirect from an MVC3 application to the Logon page.
Been struggling with an issue with timeouts that happen at random. Sometimes within a few minutes of login to the application and sometimes you can go for hours (with/without idle time) without being thrown out.
Thank You
Please see the answer on this question. This has resolve my issue with redirect loops.
IIS Session timeout and Forms Authentication loop
I am new to lift and trying to write a simple login application. When I leave my login page for some time, and I enter username and password it doesn't login instead it perform session expire behavior.
I checked the log and found that whenever I got INFO - Session navoo0xdu1ia1vi8m1c0cnl3w expired log message, the above behavior happens.
I am not able to understand why request is using the existing session, even if it's already expired. Please guide me where can I found documentation/example/tutorial to understand this behavior and how to implement simple session based login functionality.
Any help will be appreciated since this problem is bottleneck to me. I googled a lot but couldn't find anything useful.
If your session is expiring then it is because of one of two things:
1) The value set in LiftRules.sessionInactivityTimeout
or
2) The value set for session expiry within your container session.
The former is actually set to nothing by default, which means the latter will override it. Be aware however that provided you are interacting with Lift and have not disabled the heartbeat pulse then sessions do not expire. If you watch the AJAX traffic you will notice a page heartbeat used for function GC which keeps the page bound functions alive.
I'm using Spring Framework 3.0.5 and Spring Security 3.0.5 for developing a webapplication where users can log in and log out, using Remember-Me-Service, if they want to.
As I don't have pretty much experience, I wonder if it's working correctly. I use PersistentTokenApproach (with my own implementation, because I use Hibernate.) I can see the cookie is created on login and deleted on logout.
If I have an valid Remember-Me-Cookie and close the Browser, Im successfully logged in again when I open the browser again. So far, so good.
Now, I'd just like to know if those things I noticed are working as they are expected to or if I maybe did make a mistake.
1) When a user logs in without remember-me and the browser-tab is closed (not the browser itself), on reopening a new browser-tab he is still authenticated (he's using the same JSESSIONID). When closing the browser and reopening again, he isn't authenticated anymore. Regarding the security of a webapplication, is this a recommended ("normal") behaviour?
2) When remember-me used and the user is successfully authenticated (by login or later by cookie), there are no more checks on the cookie. that means, if meanwhile the user is online I'd delete the cookie from the database, the user would still be logged in, allowed to watch even the secured pages. I guess this happens because he was authenticated before and keeps using the same SESSIONID. When I close the browser and reopen it again, he isn't authenticated anymore.
3) When I dont own a cookie and open the main page, for every request I send (every picture, every file on the page) the server is checking for the rememberme-cookie. Is that correct?
Sorry for the newbie-questions, but I just want to make sure everything is working as it should. :-) Thanks in advance!
1) As far as tabs within a browser go, I am pretty sure they all share the same browser session. If you try using gmail or other web-based services you'll see the same behaviour when you close / open tabs. With older versions of IE (maybe version 6) separate instances had their own sessions, unless they were spawned from existing IE instances.
2) This sounds correct. Its not really ideal to hit the database on every request after they have been authenticated.
3) That is correct, as by default the spring security filters will be filtering on /* - and trying to look for authentication info. You can add excludes to your security config for resources you dont need to protect- ie
<http> <intercept-url pattern="/images/**" filters="none"/>