tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Gordon <>
Subject Re: Session expiration and AJAX issues
Date Mon, 25 Feb 2008 18:10:55 GMT

We are using Struts, however, version 1.2.9.  But, after looking at the 
link, I'm not sure this will help as it doesn't really address the 
problem.  Storing the date/time a user logs in on the session is 
probably useful, but our problem is that we want to forcefully log the 
user out if there's no human present at the computer and the AJAX tasks 
keep a user's session active indefinitely, whether or not they mean it to.

Additionally, assuming we didn't have the AJAX tasks, we'd have to check 
the logged in time from the session on every request and that's just not 
realistic when you have hundreds of Struts actions, even with a unique 
parent Action class.  That said, I'm beginning to suspect that this may 
be the only way to go, i.e., have  base Action for Struts actions and 
base action for AJAX actions.  My only issue with this is that then the 
onus is on the developer to use the right Action and if they don't, a 
session could inadvertently be left open which is a security risk.

Alternatively, we could simply force the logout on the user after 12 
hours period...which would kind of suck for the user if they were in the 
middle of something and so I can almost guarantee that our product 
management team wouldn't go for it since it's not really creating a 
positive user experience.


Martin Gainty wrote:
> Hi Adam-
> You can try this with Struts..
> insert the starting-date-time intio Session variable
> and then in the logoutAction.execute method do some quick math on the
> time-delta to determine if you want to quiesce the session
> M-
> ----- Original Message -----
> From: "Adam Gordon" <>
> To: "Tomcat Users List" <>
> Sent: Monday, February 25, 2008 11:04 AM
> Subject: Session expiration and AJAX issues
>> A couple of issues:
>> We've set our session expiration to 12 hours (I know it's long) and
>> we're seeing behavior where certain browsers (namely IE) apparently
>> can't count that high (we set the meta Refresh header but the page
>> doesn't reload after the allotted time, session expiration time + 20
>> minutes).
>> Since this issue was discovered, we've added background AJAX timers on
>> some of our web pages that refresh (authenticated) content.  While this
>> happily works, unfortunately, if the user chooses to remain on one of
>> these pages, and then goes on vacation, the session stays active because
>> the AJAX calls keep the session alive.
>> Our first attempt at a solution was to have a JavaScript counter that,
>> after every 20 minutes, incremented a counter and if that counter ever
>> got to 37, we knew that the user hadn't changed web pages and we could
>> log them out (window.location = <logout URL>.  The problem is that this
>> doesn't appear to work either and additionally, it relies on JavaScript
>> bypassing Tomcat's built-in features.  User's cannot log in w/o having
>> JavaScript enabled, so it's not a matter of a user potentially disabling
>> it, rather it puts the onus on the browser to inform the server that the
>> user's session needs to be expired.
>> Does anyone have experience in this area and if so, how have you solved
>> this problem?  I know Google uses AJAX with their Gmail webapp, but they
>> don't seem to care about not expiring the user's session.  Any help
>> would be appreciated.
>> Thanks,
>> --adam
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail:
>> To unsubscribe, e-mail:
>> For additional commands, e-mail:

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message