0

For logging purposes, I am interested in detecting when a session timeout occurs in my JSF application.

I have implemented a PhaseListener that checks if users are logged in and have their session already active. My implementation of afterPhase method is:

  • var url_accepted (used in the code) contains a list of public pages that users should have access in order to provide a login form.

    public void afterPhase(PhaseEvent event) {
    FacesContext context = event.getFacesContext();
    HttpSession session = (HttpSession) context.getExternalContext().getSession(true);

    AuthenticationBean sessionBean = (AuthenticationBean) session.getAttribute("sessionBean");

    String url_req = context.getViewRoot().getViewId();

    //1. Check if user has a session and is logged in:
    if(((sessionBean == null) || (sessionBean != null && !sessionBean.isLoggedIn())) && !url_accepted.contains(url_req)){
        context.getApplication().getNavigationHandler().handleNavigation(context,null,"auth_error");
        return;
    }

//2. Code continues in order to check if a logged user has permissions to access the requested page(not relevant):        
}

When an user has been disconnected due to a session timeout, the PhaseListener cannot retrieve my sessionBean from the ExternalContext and assigns null to the sessionBean attribute. At this point I cannot distinguish whether the user hasn't been logged-in before or has been disconnected by timeout.

I've read that one can use errorPages in order to detect a ViewExpiredException exception and redirect the view to a specific page. But i don't know if it's possible to manage this exception in my source code.

My question is: Can I catch this ViewExpiredException inside my PhaseListener implementation in order to handle a session timeout?

Thanks in advance.

Luiggi Mendoza
  • 85,076
  • 16
  • 154
  • 332
jmrodrigg
  • 600
  • 6
  • 24

1 Answers1

1

I've faced the same scenario in a JSF project. The solution was to use a Filter to catch the session expired. BalusC (JSF Expert) explains this matter and shows a good example:

Additional, don't forget to add session.invalidate() in your logout method and in your session timeout handler.

Luiggi Mendoza
  • 85,076
  • 16
  • 154
  • 332
  • Thank you for the reference & advice. I'll see if I can adapt this BalusC solution in my project. – jmrodrigg Jul 27 '12 at 11:14
  • If you have any question, just update your post and leave a comment here so I could help you. – Luiggi Mendoza Jul 27 '12 at 15:05
  • I've been analysing the example proposed by BalusC, but I don't get where he manages the timeout logout. I think he doesn't make any action. The problem I have in my application already works for session timeout, but I need to catch when it happens so I can log which user has been disconnected because of this. Let me know if it's already implemented in BalusC code, I'll dig in more detail into the code. – jmrodrigg Jul 31 '12 at 12:43