Liferay Session Timeout

Question

Does Liferay generate some event or action when the user session is timed out. I want to perform some action(refresh the page) as soon the session is timed out(don't want to auto renew the session, this I am aware of). The issue is that we have removed the warning of session timed out. So the user is actually not aware that his session is timed out. So if he performs some action(changing his profile image) then; he makes changes to Guest user(it changes image for Guest user as the session was timed out).

Answer 1

If you allow guest users to change data on your system, you have a problem in the underlying architecture and should implement proper permission checking. I'm assuming that you're not talking about Liferay's default UI, which should already do the proper checks.

As far as I'm concerned, this brings you 99.99% the way you want to go: Implementing a page change when the session times out is unfriendly to the user - as they might just be in the process of editing data, when they're directed away from that half-filled form just before they're submitting it.

From a user experience standpoint, you probably want to reactivate the session timeout.

The next problem that you're facing otherwise is that the browser and the server both count down on the session, and it's not guaranteed that they're fully in sync. Assume the browser redirects to a new page 1 second before the server would time out the session: This would effectively extend the session (while any user input is lost without warning anyway). This is a lose-lose. Turn this around and add a safety-minute to the browser's countdown and you might run into the opposite: The user expects to still be logged in, submits. If you still have the same faulty implementation that you write about, you're changing data as a guest user again. Another lose-lose.

Compare with reactivating the countdown, which then explicitly logs out after warning: User gets warned upfront, can extend the session, doesn't lose data and - if they don't extend - session memory on the server will be freed in time. Win-win-win.

Probably not the answer that you've expected, but IMHO the one solution to this problem.