tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <Craig.McClana...@eng.sun.com>
Subject Re: detecting timeout (was: Session Problem)
Date Thu, 04 Jan 2001 22:21:42 GMT
"COLE,GLENN (Non-HP-SantaClara,ex2)" wrote:

> Craig McClanahan writes:
>
> >The strategy I follow is to store a username (or some User object) as a
> session
> >attribute when the user logs on, like this:
> >
> >    HttpSession session = request.getSession();
> >    String username = ... whatever the username is ...
> >    session.setAttribute("user", username);
> >
> >Now on every request, I can check very simply whether the user is logged on
> or
> >not:
> >
> >    HttpSession session = request.getSession();
> >    String username = (String) request.getAttribute("user");
> >    if (username == null) {
> >        ... the user is *not* logged on ...
> >    } else {
> >       ... the user *is* logged on ...
> >    }
> [snip]
> >* If the user comes back before the session has timed out,
> >  the "user" attribute will still be present.
> >
> >* If the session has timed out, a new session will be created
> >  by the logic above -- but the "user" attribute will be missing
> >  (because the user has not gone through your "login" yet).
> >  Typically, you would redirect them to the login page here.
>
> If the user tries to bookmark a page inside the application,
> so they can return at a later date without signing on (a no-no),
> the symptom appears the same.
>

That's why I mentioned in the text above to do a check like this on *every*
request.  Similar code would be needed at the top of every JSP page in a
servlets+JSP app -- in the Struts Framework <http://jakarta.apache.org/struts>
example application, I demonstrate how to build a nice little custom tag that
does this for you so that you don't have to laboriously cut and paste the code.

>
> So the question I had was:  how can I detect whether they tried this
> "deep bookmark," or whether the session just timed out?

If you care, you can try the "check the referer" trick, but if you're going to
do the same thing anyway (redirect the user to the login page), does it really
make a difference?

>
> Thanks to the RequestHeaderExample servlet, I think I just found an
> answer.  The header "referer" appears to be set when the page is accessed
> from a link, and contains the full URI of the original page.  (The header
> is not set if the new URI is entered directly.)
>
> Thus, it appears the following will work (Apache 1.3.12 + Tomcat 3.2.1):
>
>    String referer = request.getHeader( "referer" );
>    if( referer == null  ||  referer.toUpperCase.indexOf( "X.COM" ) < 0 ) {
>       ... deep bookmark ...
>    } else {
>       ... timeout ...
>    }
>
> Is there a better way?
>

> --Glenn, who should probably lurk longer before asking

Craig McClanahan

Mime
View raw message