0

I'm developing a webapp, purely on JS and Rest WS. Deployed on Weblogic. Using FORM Auth for Login and Session Invalidate for Logout.

For session timeout I've two logics

1) web.xml session timeout configuration

2) JS timer, that checks for click or keypress event else calls Logout servlet with param as sessiontimeout

Now the problem is, Say the user is Active at client side by accessing JS files but hasn't made any REST WS calls, I cannot show any notification to USER as the SESSION is timed out. This is because of Logic 1, that does not allow me to configure any way to specify which page to redirect or pass any request parameters.

Logic 2 works fine, the moment the client is inactive for 30 mins it calls Logout?sessionTimeout=true servlet with request params from Client, which solves my problem. BUT this happens very rare like 10 in 100 cases and 90 times its Logic 1.

The only solution I can think of is remove web.xml session config and just have JS session timer check and invalidate if TRUE. BUT is this a correct approach/design ?

Experts please share your thoughts.

Prateek Agarwal
  • 407
  • 1
  • 8
  • 20

1 Answers1

2

You want to maintain most of the timeout logic on the server (where it's less-likely to be modified/hacked) and create a service which can be called from the client that periodically asks the server if the session it has, is still valid.

A best practice would be to generate a token for the user at the start of the session and pass that with the first response; potentially saving it in a cookie. The token's identity and expiration time is maintained by the server.

The client would check, say every 30 seconds if the session is expired by reading the token id from the cookie and passing it to the server in an AJAX call. The server then responds if that token is valid or not. When the client receives a not-valid response from the server it then navigates the user to a login page.

On the server side, if you get a request for a page and the cookie passed includes a token that is either not recognized OR expired, then just redirect the user to the login page.

Another advantage of maintaining the majority of the timeout logic on the server is that if a client is browsing with javascript turned off -- your session timeout logic still works perfectly.

Sarah Schwanbeck
  • 34
  • 3
  • With sessions that expire you should use a token that has expiration. You would update this cookie on every page request. What Sarah suggests is what most bank companies do. – Amir Raminfar Jul 16 '16 at 17:54
  • The major problem is redirection which the server does automatically upon session timeout. In my case the header footer and navigation is static and only the content changes in center. 90% of the time the login page is rendered in the center panel with header footer and navigation. I've no clue how to redirect in this case. – Prateek Agarwal Jul 16 '16 at 20:24