I am working on a J2EE web application that uses Struts and Spring.
Problem: When session times out, a login page appears and the user enters the login information. Then, the application tries to restore the session but there is an exception.
How do I make the application go to the home page AFTER login on all session timeouts (fresh start).
Thanks a lot.
Related
We are using Vaadin 14 on a Tomcat9.
A session is immediately created in Tomcat as soon as the login page of our app is called up. If a lot of sessions have been created here (e.g. penetration test), the Tomcat takes a very long time to delete them. The CPU load also rises to 100%.
Is it possible to prevent the automatic creation of a session and only create one after the login?
We have reduced the session timeout in Tomcat so that there are not so many open sessions.
You can not use Vaadin (for your Login) and no sessions. Vaadin stores the
state of the UI in the session and there is no way around it:
A user session begins when a user first makes a request to a Vaadin servlet
by opening the URL of a particular UI. All server requests belonging to
a particular UI class are processed by the VaadinServlet class. When a new
client connects, it creates a new user session, represented by an instance of
VaadinSession. Sessions are tracked using cookies stored in the browser.
https://vaadin.com/docs/latest/advanced/application-lifecycle/#application.lifecycle.session
So you have to prevent this and not send your users directly into the
Vaadin application (first). In your case you could provide a login form
or some SSO gatekeeper to "protect" your resources.
In a spring security application i am navigating to the login page and entering my credentials and getting logged in.Now again if i open a new tab in the same browser and navigate to the login url it shows me the login page.If I enter another users credentials and login my previous Jsession ID(ie: the one created in the previous tab) is getting overridden with the new jsession id.Upon refreshing the previous tab the session is overridden.
I want to implement that if a user is logged in already in the application, upon navigating to the url again in another tab on the same browser the homepage of the application should open.
Please advise as how I can accomplish that?
Since the server uses the cookie to map to the current session, you'd have to control how the browser sends cookies. Every time a request is sent to a website from a new tab, most browsers will send all the cookies it has for that domain. Since your server received the same session cookie, it will treat this request as being in the same session. There's no way it can tell the difference.
Therefore, as far as cookie-based web sessions go at least, you probably won't be able to force the creation of a new session upon opening a new tab.
Is it possible to synchronise liferay session with siteminder session ?
Scenario :
There are 2 applications say A & B which uses siteminder authentication.Both of the application shares same siteminder session. Application A is running liferay portlet and the application B is a servlet application.
User logs in to the Application A and navigate to Application B using SSO.
User works in Application B for some amount of time which keeps siteminder session from getting expired.But liferay session in application A is getting expired due to inactivity.
Is there any way to keep the session in liferay synch with the siteminder session? Any suggestions would be really helpful?
Set the below properties in portal-ext.properties file
Set the auto-extend mode to true to avoid having to ask the user whether to extend the session or not. Instead, it will be automatically extended. The purpose of this mode is to keep the session open as long as the user's browser is open with a portal page loaded.
session.timeout=30
session.timeout.auto.extend=true
This would not expire liferay session and if siteminder session expires and you access a resources which is protected by siteminder, you will be asked to login again.
I use Spring Security 3 in my JSF2 webapp.
I have a security rule to provide session timeouts:
<session-management invalid-session-url="/faces/paginas/autenticacion/login.xhtml?error=1" />
So that when the session has expired and the user clicks on any link, he is redirected to the login page. In this page I check for the error param, and show a message to the user saying the session has expired.
But I have 2 problems:
(1) When I startup the app the first time (it tries to show the home page), I'm redirected to the login page saying session has expired. I think that this may be happening because the 1st time you run the app, the session is a new one, and Spring Security perhaps "thinks" he has expired (doesn't distinguish betwen a new session and a timeout).
(2) If the session has expired for anonymous users (not yet authenticated), I'm redirected to the login page timeout too. I don't want this behaviour for non-authenticated users, I just want to check the timeouts for authenticated users.
How can I solve both of these problems?
Thank you in advance.
You want to use the expired-session-url property for expired sessions, not the invalid-session-url. They are for two different things.
i'm trying to login and logout users within the tomcat/blazeDS environment. I wrote a custom Java Login Proxy to handle the login which works. As i tried to logout user i.e. invalidate Sessions i realized that the Flash Application gets a new Session Id (new Session) for every call of the AMF channel. What happens is that if i try to invalidate a session its useless because the next call will be new and valid with the same user credentials again.
How can i logout a user from a Flex Application / Tomcat context then? I cant't find good examples without custom Authentication.
Thanks
Andreas
You would have to pass the session id from Flex to the Java backend and have the backend invalidate the session to log out the user.