Forum Stats

  • 3,851,385 Users
  • 2,263,969 Discussions
  • 7,904,691 Comments

Discussions

Auto redirect user on timeout

392220
392220 Member Posts: 12
edited Oct 9, 2008 3:28PM in WebLogic Portal
Hello Friends,

I'm working on weblogic 10.2 portal application. Is there a way to automatically redirect user to login page upon timeout. Like Bank of America or At&t sites?

One idea that came to me was implementing HttpSessionListener & do something in sessionDestroyed(HttpSessionEvent se) method. But how can I get reference to request & response objects in this method. Is this correct way for this problem.

Plz suggest.

Thanks
Jv

Answers

  • 648793
    648793 Member Posts: 96
    The time on the page has to be counted in java script. when this time expires you show an alert, upon clicking on that alert, you can fire a requst to your login page.
  • 655221
    655221 Member Posts: 116
    I'd be thinking server-side if it were me because the server is the thing that is keeping track of the session timeout. If these are resources that will never be accessed anonymously then you could let the web app container take care of it by setting up security constraints in WEB-INF/web.xml.
  • 648793
    648793 Member Posts: 96
    You are absolutely right thoefner, all these resources has to be secured. but how would you count the on server, for how long user has been inactive?
    The point is that you want to warn user after a certain time of inactivity and ask him to long again.
  • 655221
    655221 Member Posts: 116
    I'd wait for the client to click on something that makes a request to a secured resource and then let the server figure out if they have timed out. They will get redirected to the login page without the developer having to write a line of code.

    If you write your own session timeout thingy then you have 2 timeouts to keep track of. If someone decides to change the session time-to-live for the web app (the setting the server uses) then someone is going to have to remember to change the custom client-side timer implementation. They won't remember to. I would bet on that.

    Maybe there is a reason to implement a timer on the client side but I don't see it. We have all this overhead of the web container... security is a big part of it... I say just let it do its job and save yourself from writing your own session timeout thingy.
  • 392220
    392220 Member Posts: 12
    edited Oct 9, 2008 11:19AM
    I was able to solve this issue partially(not automatic) After timeout if user takes any action (like clicking a submit button or other tab) they will be redirected back to login page.

    This is how I'm doing it in my backing file..


    if(request.getRemoteUser() == null) {

    request.getSession(true).setAttribute("timeout", "yes");

    PostbackURL purl = PageURL.createPageURL(request, response,"PAGE_LOGIN");

    response.sendRedirect(purl.toString());

    }

    In my Login backing file
    if(request.getSession().getAttribute("timeout") != null)
    request.getSession().invalidate();

    Not sure if this is correct approach but this works fine. I'm still looking for a way of automatically redirecting user to login.

    Thanks,
    Jv

    Edited by: jvnk on Oct 9, 2008 11:18 AM
  • 392220
    392220 Member Posts: 12
    I considrered the javascript approach but how can js keep track of time between page refreshes. I'm not that good at javascript :-) Few things to consider for this approach is that we are not allowed to have frames.

    Thanks,
    Jv
  • 648793
    648793 Member Posts: 96
    Do a google man. :) Check this example. http://www.htmlite.com/JS018.php.
  • 392220
    392220 Member Posts: 12
    Thank you :-)

    May be this url will be helpful too - using cookie in js
    http://www.javascriptkit.com/javatutors/cookie3.shtml
  • 648793
    648793 Member Posts: 96
    "I'm still looking for a way of automatically redirecting user to login." Check out this URL: http://e-docs.bea.com/wls/docs100/webapp/web_xml.html#wp1019996

    This is a very old approach, if you are using form based authentication, which i think you are using.
This discussion has been closed.