timertask-based logout give me problems

Question

In this website I need a system that logs the user out after 10 minutes. In order to login I use a simple procedure of inserting a user (in my case called Lid) instance, and the logout invalidates the session, additionally, when the user logs in a timertask within a timer starts, and after 10 minutes invalidates the session.

Here is the code:

MyTask task = null;

private void setCurrent(String key, Object o) {
    getRequest().getSession().setAttribute(key, o);
}

private <T> T getCurrent(String key) {
    T value = (T) getRequest().getSession().getAttribute(key);
    return value;
}

public void logIn(Lid lid) {
    setCurrent("lid", lid); 
    Timer timer = new Timer();
    task = new MyTask(getRequest().getSession());
    System.out.println(task.toString());
    timer.schedule(task,10*60*1000);
}

public void logOut() {
    task.cancel();
    getRequest().getSession().invalidate();
}

This is the MyTask code:

public class MyTask extends TimerTask {

    HttpSession session = null;

    public MyTask(HttpSession session) {
        this.session=session;
    }

    @Override
    public void run() {
        session.invalidate();
    }

}

The problem is that when I voluntarily log out, it throws an exception because it says that the task variable is null, and so it becomes not possible to call cancel() on the task variable.

But I don't get it, after logging in the variable is instantiated, its not null.

Do you have some advise about this? Thank you

Does the logout method get called both: when you logout and when the timer ends? The flow of the code nor the actions executed by the user are not clear for me. — Mosty Mostacho, Oct 01 '11 at 22:50
yes, there is a link "logout" that calls the above log-out method, so the session gets invalidated and the lid "user" instance is erased from the session, at the same time i wanna cancel the task as it would invalidate the session of the next user, so i cal the cancel method on the MyTask object. — JBoy, Oct 01 '11 at 22:55
What I get is this: You login and execute the "logIn" method. This assigns "task" a value different than null. Then you manually logout and execute the "logOut" method and this fires an exception because "task" is null. This means you have never executed "logIn" or you have nulled the value somewhere else. — Mosty Mostacho, Oct 01 '11 at 23:00
indeed this is my problem, the the task instance is never or nowhere nulled after instantiantion — JBoy, Oct 01 '11 at 23:04
Where does that first piece of code belong? In some Stripes related bean? If so, then this is likely unrelated to servlets. I can at least only say that using `Timer` in a life long running Java EE webapp is recipe for disaster (not related to the kind of problem you currently encounter). Consider looking at the `java.util.concurrent` API. — BalusC, Oct 01 '11 at 23:53
@Balus, the first piece of code belongs to the ActionBeanContext, i understand your point, i actually never though about concurency. would you then prefer to use ? — JBoy, Oct 02 '11 at 06:31
What you're right now trying to do is different from ``. The `` invalidates the session x minutes after *last* visit. Yours invalidates it x minutes after *first* visit. — BalusC, Oct 02 '11 at 11:09
Which alternative would you use? why do you consier Timer a riski option? — JBoy, Oct 02 '11 at 14:26
Those are no alternatives to the same problem. Those approaches are very different. Why did you choose for invalidating the session x minutes after *first* visit? Is it just ignorance? Or are you creating for example some limited demo webpage which may be viewed for at highest 10 minutes only, regardless of the user activity? Or do you *actually* want to timeout the session 10 minutes after *last* visit? (your initial idea doesn't do that at all...). As to Timer, you're wasting threads this way and any exception will kill the entire thread. — BalusC, Oct 03 '11 at 19:17
i will do it with the session timeout as it seems the best option and is working fine, it is not ignorance, the owner of the webapp wants each log-in session not to be longer then 10 minutes. — JBoy, Oct 03 '11 at 19:31
I understand, but those approaches are very different. Your initial approach will invalidate the session after 10 minutes, **regardless of user activity**, so the user will be *always* logged out after 10 minutes. The `` approach will invalidate the session in 10 minutes after **last visit**, so the user can be active for hours as long as it is firing *at least* one request per 10 minutes. So I just wondered if you ever have thought about that or if it was plain ignorance. — BalusC, Oct 04 '11 at 12:19

Kdeveloper · Accepted Answer · 2011-10-04T12:07:08.493

1

Why not just let the web container handle session time-out for you? If you put below code in your web.xml all inactive sessions will expire in 10 minutes:

<session-config> 
  <session-timeout>10</session-timeout> 
</session-config>

edited Oct 04 '11 at 12:07

answered Oct 03 '11 at 19:09

Kdeveloper

13,679
11
41
49

timertask-based logout give me problems

1 Answers1