When do you call getPageContext().getSession().invalidate()?
I tried calling that at the logout page, then cflocation it back to the main page, and it throws exception.
How to assign a new session right after?
The documentation says:
You cannot destroy the session and
create a session on the same request,
as creating a new session involves
sending session cookies back.sending session cookies back.
I thought cflocation to the main page already qualifies as a different request, is it not?
getPageContext().getSession().invalidate() will invalidate the session, subsequent request with that sessionID will get an error trying to access the Session scope but the memory will not be reclaimed until the actual session timeout.
What you can do is session.setMaxInactiveInterval(int) set it to very a low number in ms so it expires right away and release the memory. Then do a cflocation and for safe mesure use addToken="no"
Ben Nadel had series of posts related to "killing" session. As I remember it's not as easy as one method call. I'd google those.
you can use any of these for ur user logout function
1) Session.Remove(key)
2) Session(key) = nothing
Both are fine. But the later one is better if the user might want to re login or you actually....saves the effort of recreating a new key.
Related
After loggin in OneDrive through a web application as explained here (http://msdn.microsoft.com/en-us/library/dn659751.aspx), I can see that a session (WL.getSession()) is obtained correctly. However, if I make a refresh on the page, it is getting lost. I guess this is due to some cookies management. Is it possible to have the session not cleared at refresh?
Thanks,
Stanislav
Typically, you should call WL.login or otherwise check login status first (see WL.getloginStatus). These will return a session object if the user is logged in and has consented, so on refresh your session object should not be null unless they have logged out and you need to sign them in again. You may be "losing" the session depending on when you are calling WL.getSession()
Check out the interactive SDK sample on signing users in
Part of my application has a single page view for an overhead status board. Access to the server that runs the overhead display is in an access controlled location that only a few key people have access to. The problem I am encountering is that the session expires after a set amount of time, necessitating someone physically going to the server and reloading the page. Needless to say this creates some problems when the key people aren't around.
This application runs under Tomcat, and security is controlled via Spring security. How would I go about changing the session timeout for this page only?
[edit]
I've taken the approach that #sotirios-delimanolis suggested. Although I still need to find an elegant way to reverse the extended session timeout if the user navigates to this page then navigates away, this appears to work for me.
Following is the relevant snippet of code that implements this:
#RequestMapping(value="BigBoard", method = RequestMethod.GET)
public void getBigBoard(HttpServletRequest request, Model model) {
HttpSession session = request.getSession();
session.setMaxInactiveInterval(604800);
I don't know how your page is accessed, by controller, resource provider, etc. but you would have to add a Servlet, Filter, HandlerInterceptor or handler method somewhere in the processing of that request that basically did the following
int seconds = ...; // timeout
request.getSession(true).setMaxInactiveInterval(seconds);
That session now has the specified timeout before the container invalidates it.
Note that if the user goes to some other page somehow, the timeout for their session will remain what you set above unless you change it.
Make the page refresh itself every now and then (using <meta http-equiv="refresh" content="60">) or add some Ajax polling to avoid session timeout.
I don't really deeply understand of the session mechanism but just good enough as a casual user of the technology. I have a page implemented with jQuery ajax request. If I keep refreshing the page at a fast pace it would make the session expired and I have to login again. I would appreciate for an explanation of the phenomenon and solution to prevent that.
Sessions consists in to main parameters
Cookies and Server-side session data
In a very little explanation
cookies contains session ID, that references to the server to get session data. Server then fetchs data with the session ID and matches it inside a file with various parameters.
Your problem must be session timeout, it depends mainly on session timeout parameter configured.
Your ajax requests only works if the session timeout hasnt expired thats why it prompts you for login.
You can solve this by defining a service that does not require authentication, you can define your functions on a specific file with no session initialization so the request can bypass the security session, and your other pages that need security are secured at the same time. Like amazon mechanism.
I am new to lift and trying to write a simple login application. When I leave my login page for some time, and I enter username and password it doesn't login instead it perform session expire behavior.
I checked the log and found that whenever I got INFO - Session navoo0xdu1ia1vi8m1c0cnl3w expired log message, the above behavior happens.
I am not able to understand why request is using the existing session, even if it's already expired. Please guide me where can I found documentation/example/tutorial to understand this behavior and how to implement simple session based login functionality.
Any help will be appreciated since this problem is bottleneck to me. I googled a lot but couldn't find anything useful.
If your session is expiring then it is because of one of two things:
1) The value set in LiftRules.sessionInactivityTimeout
or
2) The value set for session expiry within your container session.
The former is actually set to nothing by default, which means the latter will override it. Be aware however that provided you are interacting with Lift and have not disabled the heartbeat pulse then sessions do not expire. If you watch the AJAX traffic you will notice a page heartbeat used for function GC which keeps the page bound functions alive.
How do websites generally log users out and send them to the log in screen automatically when a user's session expires? Is this done through ajax or running async handlers? Can you give me a bit of an explanation.
Banks and such use a client-side timeout via javascript, or something similar. Really, though, the server handles the actual session, so if you disabled the client-side logic it would act as if you were attempting to make transactions while logged out.
Use a cookie as well as a session.
Cookie must be set when a session is
started.
If the cookie is present but the
session is gone, redirect to the
login screen.
If there is no session and no cookie
do nothing
(pardon me if you can't do that because I never used ASP and basing my answer on my PHP knowledge)
Typically, you set an expiration timestamp on your session ID cookie. When the cookie fails to be sent, the client is logged off (no given session ID).
This method is often combined with JavaScript and another timestamp token. When the timers start running down, a notification is sent that allows the user to "refresh" their session... essentially, making a request before the session timestamp expires.
The "refresh" request could be anything, even something as simple as an image load.
If you are using Tomcat you can use its built in <security-constraint> mechanism within your web.xml definition. All of the timing, login screen, and page redirects are handled by Tomcat with little effort on your part other than definitions.
Oh, IIS... nevermind.