If I were on a regular JSP application I would simple write a servlet filter that if it detects an expired session redirects you to a page that explains your session has expired.
In GWT are only doing calls in the background so a http response redirect would not reload the page. Other than having all GWT rpc calls inside a base object that returns the session status does anybody have a suggested way to detect an expired session? Perhaps a timer that calls an RPC method every 5 minutes?
Normal way is to throw an error on GWT-RPC call saying that the session is expired. Then you need to handle that exception on the client side (f.e. display login page to the user or something else).
Related
I created a public app in Oracle Apex 20.1
I set session management like that --> session management
Application has no authentication and every page is public.
Unfortnently in the application logs I found many erros with Your session has expired message. It occurs multiple times in exactly same time. In user column there is a null value instead of nobody.
Logs from application
I would appreciate any advice how to fix my app
This is expected behaviour, there is nothing wrong with your application. Every page rendering in apex is a session - that is also true for public pages. The user is set to "nobody" indicating that the session is not authenticated. When a user leaves his browser open, eventually the session will time out.
You can increase the session idle time in Shared Components > Security attributes, but sessions will still timeout when they're idle for longer than this value.
The entries you're seeing in the application log seem to be coming from an ajax request, not from a page rendering action. This is hard to diagnose with no info about your application. I'm assuming you have a dynamic action or some javascript code with a timer to refresh the page or a page region. Once the session expires, those ajax requests start erroring out. What you could do is figure out what component/process is throwing the error message and put some logic in it so it only fires if the session is valid (using APEX_CUSTOM_AUTH.IS_SESSION_VALID)
I have an enterprise application deployed on websphere 8.5.5.8, the application web side is composed of a single main page with multiple functionality tabs and every thing inside them uses ajax and iframes. Now, the issue is that I need to redirect the user to the login page immediately when the session expires. I tried to send ajax requests every second from my main page to the server to check for the session validity but the server treats that ajax requests url as secured resource causing the session to be refreshed and never expires. What are the possible work arounds for such scenario?
Yes, call to server will extend the session. As one of the solution, you could use javascript setTimeout method, initialize it to the session expiration time, and reset on your ajax business calls. If user will not do anything, then this timeout will invoke call to the logout page, which will invalidate the session and logout user.
I don't really deeply understand of the session mechanism but just good enough as a casual user of the technology. I have a page implemented with jQuery ajax request. If I keep refreshing the page at a fast pace it would make the session expired and I have to login again. I would appreciate for an explanation of the phenomenon and solution to prevent that.
Sessions consists in to main parameters
Cookies and Server-side session data
In a very little explanation
cookies contains session ID, that references to the server to get session data. Server then fetchs data with the session ID and matches it inside a file with various parameters.
Your problem must be session timeout, it depends mainly on session timeout parameter configured.
Your ajax requests only works if the session timeout hasnt expired thats why it prompts you for login.
You can solve this by defining a service that does not require authentication, you can define your functions on a specific file with no session initialization so the request can bypass the security session, and your other pages that need security are secured at the same time. Like amazon mechanism.
I migrated my webapp from Tomcat 5.5 to Tomcat 6(.0.32). In that app there are ajax calls in every footer page to avoid session timeout. It works fine on Tomcat 5.5 but it doesn't work in Tomcat 6. I use a filter to track every call in a DB table. On non-ajax calls I can see the tracking in the table and the reset session timeout. On ajax calls I can see the tracking in the table but not the reset of the session timeout.
Why? Can I change this behavior? And, just for info, how can Tomcat6 distinguish the ajax calls?
If you're not explicitly accessing the session in response to the AJAX calls, you may need to set the org.apache.catalina.STRICT_SERVLET_COMPLIANCE system property. Of course, that may also impact other parts of your app. Another option would be to ensure that you do explicitly access the session...
How do websites generally log users out and send them to the log in screen automatically when a user's session expires? Is this done through ajax or running async handlers? Can you give me a bit of an explanation.
Banks and such use a client-side timeout via javascript, or something similar. Really, though, the server handles the actual session, so if you disabled the client-side logic it would act as if you were attempting to make transactions while logged out.
Use a cookie as well as a session.
Cookie must be set when a session is
started.
If the cookie is present but the
session is gone, redirect to the
login screen.
If there is no session and no cookie
do nothing
(pardon me if you can't do that because I never used ASP and basing my answer on my PHP knowledge)
Typically, you set an expiration timestamp on your session ID cookie. When the cookie fails to be sent, the client is logged off (no given session ID).
This method is often combined with JavaScript and another timestamp token. When the timers start running down, a notification is sent that allows the user to "refresh" their session... essentially, making a request before the session timestamp expires.
The "refresh" request could be anything, even something as simple as an image load.
If you are using Tomcat you can use its built in <security-constraint> mechanism within your web.xml definition. All of the timing, login screen, and page redirects are handled by Tomcat with little effort on your part other than definitions.
Oh, IIS... nevermind.