Immediate forward to SessionExpiredUrl

[Mauno Haukila]

Client wants a mechanism that redirects users to "session expired url" automatically after timeout-period. Current "notify when next xhr happens" isn't enough.

What they want is client-side timer that is reset with every variable change. After timer expires, session should be invalidated and user redirected to session expired url.

I'll do this, and add changes as patch.

[Mauno Haukila]

Added patches. Added CustomizedSystemMessages? to have new setSessionExpiredDelay(int seconds). If value is -1, CommunicationManager? adds interval and sessionExpiredUrl to json. Patches are not done against trunk but they are human-readable.

[Matti Tahvonen]

Some comments and ideas to improve the feature.

Could it be somehow possible to fetch session lifetime value from servlet configuration, instead of setting it in itmill toolkit application? This would keep our code smaller/cleaner and we'd avoid some questions on forum when users are fighting with multiple timeout values.

Also, if we had the correct jsession timeout, we could by default popup the "session expired" notification right when the session actually expires. Now it popups lazily when user triggers server visit in a (possibly long time a go) expired application. This would also make possible to show warning bit before session will expire.

PS. In the future, please do patches against trunk and from the root of project directory. Also one patch per feature/bugfix, not patch per changed file.

[Matti Tahvonen]

Right place to fetch max inactivity time?

http://java.sun.com/products/servlet/2.2/javadoc/javax/servlet/http/HttpSession.html#setMaxInactiveInterval(int)

[Mauno Haukila]

It could come from session, but how would the server side api be?

This isn't really session expiration, it just forwards it to sessionExpiredUrl, so there is no guarantee that session really expired (unless sessionExpiredURL itselft contains session invalidation). Should it check it after timeout?

[Joonas Lehtinen]

Mauno, why someone would like to define two sessiontimeouts: one that forwards to outside url and one that clean session state? IMO Matti is correct - session-timeout defined in web.xml or by HttpSession?.setMaxInactiveInterval(). We should not duplicate this functionality.

[Mauno Haukila]

I didnt argue on that :)

[Mauno Haukila]

As I said, no objections on taking the value from session, but how about the api?

[Matti Tahvonen]

SessionTimouMessage? == null -> redirect immediately would comfort to rest of the api.

Joonas, I believe Mauno ment eg. following case:

Application has two windows. Another is used for a long time. The other thinks its session is expiring -> may finally forward although the other window has kept session alive.

These are rather rare cases, but should be handled. So visiting server after session expiration to make sure if it has really expired might be a good idea. But then there might become race condition among two inactive windows -> keeps session alive forever.

This feature really needs some proper planning.

[Marc Englund]

I had a fairly lengthy discussion about this with Mauno yesterday, going trough the issues/solutions mentioned above.

Our current understanding of the situation is that it is hard, if not impossible, to make this perfect with multiple windows; as noted, we can not visit the server to find out whether the session expired, unless it's possible to visit the server w/o updating last access time. If that would be possible, we'd implement a generic polling mechanism instead of this separate session timeout functionality.

I did not check the patches, but I'd assume the API addition is minor.

And the use case, as I understand it, is to automatically go away from the application if the user accidentally leaves it open (potentially with sensitive information, e.g banking app). Currently the page is left open forever, until the user clicks something.

[Joonas Lehtinen]

Simple solution proposal:

• Use standard session timeout
• Send estimate on when the session will be expired with each UIDL and what URL to load when session has expired
• Client should redirect to the given url _AFTER_ the session has expired.

This should work as long as the servlet container really sticks to the session-timeouts it has reported.

[Matti Tahvonen]

...but not with multiple windows. Case explained below:

Assume 30 minute timeout.

00:00 Main window opens

00:05 Main window opens editor window (browser level)

00:25 Editor window visits server

00:35 FAIL. Main window thinks session is expired, although editor window has kept it alive.

[Mauno Haukila]

No need to send estimate on every uidl. When variable change happens, estimate is always same as reseted timer.

Note that failing situation doesnt need 2 toolkit windows. Just plain toolkit tab + servlet tab in crosscontext can make this fail.

[Joonas Lehtinen]

Matti, you are correct - my bad.

Is there a way to resolve this other than documenting "setting session expired url is only supported if you have only one browser-window" and maybe throwing exceptions when one tries to break this rule?

[Marc Englund]

Lunch discussion result:

Basically keep as-is, with the following modifications:

• remove "sessionExpiredDelay", always use getMaxInactiveInterval() + "a little" (e.g 15sec)
• send new inactiveInterval to client if it changes (check at each response)

The end result will be close enough, without additional API.

[Mauno Haukila]

Ok, I'll make changes to patches.

One question thou, should it check changes for sessionExpiredURL also?

[Mauno Haukila]

There might be one method that "fixes" issues with multiple windows. I'm not doing this, but if this is reopened in future...

1. After expiration make new xhr to server but with different jsessionid. xhr.setRequestHeader("COOKIE","JSESSIONID=");

2. At server invalidate session created for query but return interval minus lastAccessTime for the other session.

3. At client, reset timer to new value + "a little" or just forward if session was already expired.

[Joonas Lehtinen]

Mauno, this should work. Feel free to include this functionality in the patch :)

[Mauno Haukila]

Refreshed patch, now it's made against trunk. Made only very small changes. I made it so that both expiredMessage and expiredCaption should be null.

There was this #setSessionExpiredNotificationEnabled, I altered its javadoc a bit.

[Mauno Haukila]

Previous bugs, added new one.. previous diff lacked "if (metaOpen)"-check

[Joonas Lehtinen]

Reviewed, tested, merged (and a bit fixed) the patch. Thanks. Committed in [5528]

[Marko Gronroos]

Included in 5.2.10 release.