tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Detecting Expired Session via JavaScript?
Date Tue, 01 Dec 2015 19:28:17 GMT

On 12/1/15 12:30 PM, Jerry Malcolm wrote:
> I'm looking for a way to detect that the current session has expired (or
> logged out via another tab on the browser).  I know I could just issue
> dummy requests to the server and see if a login page comes back.  But
> issuing requests automatically resets the session timer. I need a benign
> way to query that doesn't keep the session alive forever.
> I'm sure this problem has been solved before.  But basically, I want to
> know that the session is no longer valid and force the user back to the
> login page.  I know one possibility is to set the Tomcat timer to 30 min
> expiration, and then keep a '29 minute' timer running in the browser. 
> But my clients can change the tomcat session timer length. 

When you generate your HTML page, toss the
HttpSession.getMaxInactiveInterval into the page somewhere, then wait
that number of minutes. Don't hard-code 29 minutes (though 31 would have
been a better time to wait if you didn't want to automatically-extend
the session).

> And also this doesn't account for a logoff using the same session on
> a different browser tab.  I'd really like a pro-active query method
> if anything like that exists.

Try something like this:

- Set -Dorg.apache.catalina.core. StandardHostValve.ACCESS_SESSION=false
  (false is the default if org.apache.catalina.STRICT_SERVLET_COMPLIANCE
   is not set to "true")

- Write a quick page like this:

  <?jsp session="false" contentType="application/json" ?>
  { "valid" : <%= request.isRequestedSessionIdValid() %> }

Then you can request this page to see the value of "valid".

I wasn't able to tell if the isRequestedSessionIdValid method is
supposed to "touch" the session's last-update-timestamp. I read some
code in Tomcat and didn't find a "touch" but that doesn't mean it
couldn't change. I didn't see anything in the spec that specifically
said that method doesn't "touch" the session.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message