Session timeout does't work vaadin

Question

I'm developing an vaadin web application and I added the following snippet of code in my web.xml.

<session-config>
    <session-timeout>30</session-timeout>
</session-config>

Now i noted the also after 30 minutes my users are able to use the appllication and I don't want this. I read somethings about this problem on vaadin book, but I don't undestrand somethings.

From vaadin book:

Session Timeout After User Inactivity

In normal servlet operation, the session timeout defines the allowed time of inactivity after which the server should clean up the session. The inactivity is measured from the last server request. Different servlet containers use varying defaults for timeouts, such as 30 minutes for Apache Tomcat. You can set the timeout under with:

In a web.xml:
<session-config>
   <session-timeout>30</session-timeout> 
  </session-config>
The session timeout should be longer than the heartbeat interval or otherwise sessions are closed before the heartbeat can keep them alive. As the session expiration leaves the UIs in a state where they assume that the session still exists, this would cause an Out Of Sync error notification in the browser.

However, having a shorter heartbeat interval than the session timeout, which is the normal case, prevents the sessions from expiring. If the closeIdleSessions parameter for the servlet is enabled (disabled by default), Vaadin closes the UIs and the session after the time specified in the session-timeout parameter expires after the last non-heartbeat request.

In a web.xml:
<servlet>
...
<init-param>
  <param-name>closeIdleSessions</param-name>
  <param-value>true</param-value>
</init-param>

Now I think the problem is that my application server leaves the UIs in a state where they assume that the session still exists but I'm not able to understand What is the heartbeat? and What the closeSessionId do precisely?

For testing give it 1 min and check it's working or not. – Deepu--Java Oct 10 '14 at 08:13 — Deepu--Java, Oct 10 '14 at 08:13

score 2 · Accepted Answer · answered Oct 10 '14 at 08:43

2

The heartbeat indicates that the client side is still exist. For example when the user close the browser, the client side can't send heartbeat anymore, the server detect this and clean the UI on the server side. By default this keep the session alive forever. Thus if it isn't the expected behavior you have to set this in the web.xml:

<init-param>
    <description>Enable Session Timeout</description>
    <param-name>closeIdleSessions</param-name>
    <param-value>true</param-value>
</init-param>

answered Oct 10 '14 at 08:43

Krayo

2,492
4
27
45

If I understood, if the client close the browser no heartbeat is send and then the server is not able to figure out when close the session? – Skizzo Oct 10 '14 at 09:17
1

@Skizzo I think if the client close the browser then the session will expire after 30 minutes. But if the client keep open the browser for hours then the session stay alive by default. If you set the `closeIdleSessions` to true, then the session will expire after 30 minutes even if the browser is still open (and no user activity of course). – Krayo Oct 10 '14 at 09:34
I think this topic is really interesting, if on the Book of Vaadin it is said that `The inactivity is measured from the last server request`, then how does the server detect that a session is inactive when the user closes the browser if the browser doesn't send requests anymore (as it was closed)??? Does the server uses an event loop or something and triggers an event indicating that it doesn't receive requests from the client anymore? – tonix Feb 20 '15 at 09:48

Session timeout does't work vaadin

1 Answers1