Geek Answers Handbook

How to distinguish between logout and session duration?

Case 1: Logging out: as soon as we log out, if someone tries to access the previous one, he should be automatically redirected to login.jsp

Case 2: The session has expired: if the session expires while the user is still logging in, he should try to automatically redirect to sessionExpired.jsp when he accesses the previous page.

How to differentiate? I am currently closing the session on logout.

+6
java jsp session session-timeout
source share
3 answers

When logging in, set a cookie with a long validity period (> 24 hours). Delete this cookie during logout by setting maxage to 0.

You can check any user without registration (i.e. invalid session id). If the cookie does not exist, redirect it to login.jsp

If the cookie exists, then its session has expired, so redirect it to session-expired.jsp

+8
source share

You can test expired sessions by checking that HttpServletRequest#getRequestedSessionId() does not return null (this means the client sent a session cookie and therefore assumes that the session is still valid) and HttpServletRequest#isRequestedSessionIdValid() returns false (which means that the session has expired on the server side).

In a nut:

 public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws ServletException, IOException { HttpServletRequest request = (HttpServletRequest) req; HttpServletResponse response = (HttpServletResponse) res; HttpSession session = request.getSession(false); if (request.getRequestedSessionId() != null && !request.isRequestedSessionIdValid()) { response.sendRedirect(request.getContextPath() + "/sessionexpired.jsp"); } else if (session == null || session.getAttribute("user") == null) { response.sendRedirect(request.getContextPath() + "/login.jsp"); } else { chain.doFilter(request, response); } }

No need to worry about extra cookies. Print this Filter on a url-pattern protected by secure pages (and thus excluding session pages and login pages!).

Remember to disable browser caching of the page on protected pages, otherwise the web browser will load them from the cache when you return to the browser history, instead of sending a new request to the server. You can achieve this by doing the following in the same filter before calling Chain#doFilter() .

 response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1. response.setHeader("Pragma", "no-cache"); // HTTP 1.0. response.setDateHeader("Expires", 0); // Proxies.
+7
source share

If it were me, I would clear the session when I logged out and create a bool in it called HasLoggedOut and set this to true. Then, if this bool exists in the session, you know that they are logged out, if it does not, the session was either disconnected, or the user was never logged in.

Since you still cannot distinguish between latency and not logging in, I usually decide that if they request an authenticated page, I simply send them to the session timeout page, which also doubles as the login page that says something like

"Unfortunately, we don’t know who you are, either your session has ended or you are not logged in, please log in below"

In this case, for both scenarios is used

+1
source share

More articles:


All Articles