1 Reply Latest reply: Jan 29, 2013 6:12 AM by Frank Nimphius-Oracle RSS

    Session Timeout not working for Secured URL's


      I am using JDev . We have implemented session timeout funtionality in our application where in if Application is idle for say 10 mins, it navigates back to Login page. We have written a timeout listener and have set time session time out in Web.xml. The functionality is working fine for plain text URL but it is not working for Secured URL's. When i try to access our application in secured URl, Once it is time out , session variables are not getting cleared.

      PFB code of Timeout listener.

      public void afterPhase(PagePhaseEvent pagePhaseEvent) {

      if (pagePhaseEvent.getPhaseId() == Lifecycle.PREPARE_RENDER_ID) {

      String myAppName = "PA-N0";
      FacesContext facesCtx = FacesContext.getCurrentInstance();
      ExternalContext extCtx = facesCtx.getExternalContext();
      HttpSession session = (HttpSession)extCtx.getSession(false);

      if (session != null) {
      int secsTimeout = session.getMaxInactiveInterval();

      if (secsTimeout > 0) {                  
      HttpServletRequest req = (HttpServletRequest)extCtx.getRequest();
      String appURL = "./Login";
      // pad the timeout by a couple of seconds to ensure session times out
      // on the server
      secsTimeout += 2;

      String jsCall = "document.acmeStartClientSessionTimers = function()\n" +
      "{\n" +
      " if(document.acmeSessionTimeoutTimer != null)\n" +
      " window.clearTimeout(document.acmeSessionTimeoutTimer);\n" +
      "\n" +
      " document.acmeSessionTimeoutTimer = window.setTimeout(\"document.acmeClientSessionTimeout();\", " +
      secsTimeout * 1000 + ");\n" +
      "\n" +
      "}\n" +
      "document.acmeStartClientSessionTimers();\n" +
      "\n" +
      "document.acmeClientSessionTimeout = function()\n" +
      "{\n" +
      " window.location.href = '" + appURL + "' \n" +

      ExtendedRenderKitService rks =
      Service.getRenderKitService(facesCtx, ExtendedRenderKitService.class);
      rks.addScript(facesCtx, jsCall);
      }catch(Exception e){


      public void beforePhase(PagePhaseEvent pagePhaseEvent) {

      System.out.println("Session Clearing in Before");


      Any help in this regard would be helpful.

        • 1. Re: Session Timeout not working for Secured URL's
          Frank Nimphius-Oracle

          not sure what you mean by "Secured URL's" but if you mean Java EE protects URLs then there are two things to be aware of

          1. JSF uses a post back, which means that the URL displayed in the browser URL is not the URL providing the content (so if the URL you see in the browser is not secured then you can access the content because of this)

          2. Secured URL should be checked upon RESTORE_VIEW phase and not render response because this already means the new URL is getting rendered. For rendring JS on a page using RENDER_RESPONSE is correctly used