2

I can logout user after defined time of inactivity.

<session-timeout>240</session-timeout>

But, is there some way to logout in specified time, or better, for example until 5 minutes of inactivity after specified time.?

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
gaffcz
  • 3,469
  • 14
  • 68
  • 108
  • I do not understand why you don't just edit the `` from 240 minutes to 5 minutes. – BalusC May 30 '11 at 11:31
  • Because, users are using it at waves. Sometimes it's used permanently, sometimes only time to time. In second case, logout after 5 minutes of inactivity causes regularly logoffs and it's not user friendly – gaffcz May 30 '11 at 11:36
  • i've made a new answer (about strange behaviour of listener) – gaffcz May 30 '11 at 11:37
  • So you want to be able to change the session timeout on specific requests? If so, which and when? Which requests needs a timeout of 240 mins and which needs a timeout of 5 mins? When would you like to change it? – BalusC May 30 '11 at 11:48
  • Worktime is divided to shifts, during a shift it should be for example 30 minutes (240 is too much of course) and 5 minutes after actual shift ends (for example at 2.05pm) – gaffcz May 30 '11 at 11:53

3 Answers3

5

You can change the session timeout by HttpSession#setMaxInactiveInterval() wherein you can specify the desired timeout in seconds.

When you want to cover a broad range of requests for this, e.g. all pages in folder /admin or something, then the best place to do this is to create a Filter which is mapped on the FacesServlet which does roughly the following job:

@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws ServletException, IOException {
    HttpServletRequest request = (HttpServletRequest) req;
    HttpSession session = request.getSession();

    if (request.getRequestURI().startsWith("/admin/")) {
        session.setMaxInactiveInterval(60 * 5); // 5 minutes.
    } else {
        session.setMaxInactiveInterval(60 * 240); // 240 minutes.
    }

    chain.doFilter(req, res);
}

In a JSF managed bean the session is available by ExternalContext#getSession():

HttpSession session = (HttpSession) FacesContext.getCurrentInstance().getExternalContext().getSession();
// ...

Or when you're already on JSF 2.1, then you can also use the new ExternalContext#setSessionMaxInactiveInterval() which delegates to exactly that method.

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
  • Thank you, i'll try to understand it later (after other session stuff) :) – gaffcz May 30 '11 at 12:20
  • I've return to this article and I have to thank you again (see my updated post if you want) :-) – gaffcz Jul 25 '11 at 07:27
  • You're welcome. If the above answer was the most helpful and was finally your accepted solution, why isn't is marked accepted then? – BalusC Jul 25 '11 at 11:48
1

Automatically - no.

You'd have to:

  • store all sessions in a Set. Do this in a HttpSessionListener when they are created.
  • at the given time (using quartz for example) .invalidate() them
Bozho
  • 588,226
  • 146
  • 1,060
  • 1,140
1

What Bozho has given you is correct, what you are seeing most likely is that when you press your logout button, the session is being destroyed, but the servlet container is then being directed to a "post logout" page, which automatically causes a session to be created (Hence "Session Destroyed" followed by "Session Created").

Short of creating your own session handling system, I don't know how you would get around this. (I've had this issue in the past and it disappeared after we created our own session system)

Crollster
  • 2,751
  • 2
  • 23
  • 34