In my web application(jsp/servlet) there is a web page which create Ajax request periodically to grab the latest data from the server.This page is the main page which is always open once user log in to the system while other pages open in new browser windows(due to user events).
I have to invalidate the user session which idle for more than 30 minutes. For that I use Tomcat session timeout feature. But the thing is most of the time users session which are idle for 30 min are not invalidated.
But some time user sessions are invalidated by Tomcat after 30 min. I think this is because the main page send Ajax request periodically without idling the session.
I want to know that is Tomcat can't identified the auto generated request from user event and invalidate session properly.Please give an ideas on this,it will be very helpful for me.
Dinesh
I don't think you have a choice here - if Tomcat identifies and ignores the AJAX request, you'll lose the functionality it provides for you
Related
We are using Vaadin 14 on a Tomcat9.
A session is immediately created in Tomcat as soon as the login page of our app is called up. If a lot of sessions have been created here (e.g. penetration test), the Tomcat takes a very long time to delete them. The CPU load also rises to 100%.
Is it possible to prevent the automatic creation of a session and only create one after the login?
We have reduced the session timeout in Tomcat so that there are not so many open sessions.
You can not use Vaadin (for your Login) and no sessions. Vaadin stores the
state of the UI in the session and there is no way around it:
A user session begins when a user first makes a request to a Vaadin servlet
by opening the URL of a particular UI. All server requests belonging to
a particular UI class are processed by the VaadinServlet class. When a new
client connects, it creates a new user session, represented by an instance of
VaadinSession. Sessions are tracked using cookies stored in the browser.
https://vaadin.com/docs/latest/advanced/application-lifecycle/#application.lifecycle.session
So you have to prevent this and not send your users directly into the
Vaadin application (first). In your case you could provide a login form
or some SSO gatekeeper to "protect" your resources.
I created a public app in Oracle Apex 20.1
I set session management like that --> session management
Application has no authentication and every page is public.
Unfortnently in the application logs I found many erros with Your session has expired message. It occurs multiple times in exactly same time. In user column there is a null value instead of nobody.
Logs from application
I would appreciate any advice how to fix my app
This is expected behaviour, there is nothing wrong with your application. Every page rendering in apex is a session - that is also true for public pages. The user is set to "nobody" indicating that the session is not authenticated. When a user leaves his browser open, eventually the session will time out.
You can increase the session idle time in Shared Components > Security attributes, but sessions will still timeout when they're idle for longer than this value.
The entries you're seeing in the application log seem to be coming from an ajax request, not from a page rendering action. This is hard to diagnose with no info about your application. I'm assuming you have a dynamic action or some javascript code with a timer to refresh the page or a page region. Once the session expires, those ajax requests start erroring out. What you could do is figure out what component/process is throwing the error message and put some logic in it so it only fires if the session is valid (using APEX_CUSTOM_AUTH.IS_SESSION_VALID)
I have an enterprise application deployed on websphere 8.5.5.8, the application web side is composed of a single main page with multiple functionality tabs and every thing inside them uses ajax and iframes. Now, the issue is that I need to redirect the user to the login page immediately when the session expires. I tried to send ajax requests every second from my main page to the server to check for the session validity but the server treats that ajax requests url as secured resource causing the session to be refreshed and never expires. What are the possible work arounds for such scenario?
Yes, call to server will extend the session. As one of the solution, you could use javascript setTimeout method, initialize it to the session expiration time, and reset on your ajax business calls. If user will not do anything, then this timeout will invoke call to the logout page, which will invalidate the session and logout user.
I'm having a bit of trouble with Session timeouts in my Tomcat served web application. From reading over Tomcat's documentation, sessions expire after a time which can be configured in the web.xml file.
<session-config>
<session-timeout>30</session-timeout>
</session-config>
Quesion) Does this mean 30 minutes from when the session was created for the user? Or 30 minutes from when the session was last accessed?
If it is, as I originally thought, 30 minutes from when the session was last accessed, I don't seem to be seeing this behavior. My sessions seem to be lost as I'm using the site. Are there any other ways to configure session behavior besides this one setting? Is there something I'm missing?
Apache Tomcat/6.0.20
A session is started for the web browser when it connects to your application. Tomcat closes the session on the server when the maximum period of inactivity has passed (30 minutes).
This timeout is reset whenever there is activity on the web browser, such as refreshing the current page or navigating through other pages under the application control. Merely keeping a browser window open does not keep the session open because it does not generate any activity on the browser.
You can set it in the web.xml file as you described.
You can also set it for the session object by calling setMaxInactiveInterval(int interval)
This specifies the time, in seconds, between client requests before the servlet container will invalidate this session.
You have to make sure, that the cookies are enabled for your browser. Otherwise you create a new Session with each request. You should call the HttpServletResponse.encodeURL(String url) for each URL in your application. From the api doc:
"Encodes the specified URL by including the session ID in it, or, if encoding is not needed, returns the URL unchanged. The implementation of this method includes the logic to determine whether the session ID needs to be encoded in the URL. For example, if the browser supports cookies, or session tracking is turned off, URL encoding is unnecessary.
For robust session tracking, all URLs emitted by a servlet should be run through this method. Otherwise, URL rewriting cannot be used with browsers which do not support cookies."
I am working on a e-commerce project using the Auth Component for authentication and Sessions Component for storing my cart.
The problem is that the session gets cleared abruptly after a while even when I am actively browsing the site. I know this should be because of the Session timeout but just increasing the timeout value is not the solution I am looking for.
I want the session to expire only when a user closes his browser. Can this be achieved?
AFAIK all you can do is to set a session timeout variable far into the future. Sessions are automatically cleared when the browser is closed (unless you set a Remember Me type cookie). Setting it far into the future will effectively accomplish what you need to do.
How long into your session is it timing out? It should only timeout when your user is inactive for a period of time. If it times out in-between requests, and you know the timeout time has not elapsed, you have some other issues going on. What are the settings in your core.php file regarding your security levels and session timeouts?