Version 2


    It is a common requirement that web applications should be available only for authenticated users. These security settings are configured in web.xml by elements security-constraint, login-config and security-role and make use built in support of login modules. Another web.xml element session-timeout defines the validity of http sessions. When the session times out and a http request with unknown session id arrives then such request should be redirected to given (usually login) page. If you use the form login then you get this functionality out of the box.


    Suppose a web application having form authentication method configured and is built on JSF2 facelets and makes use Richfaces 4.2 ajax controls. When session times out and an ajax requet arrives then empty ajax response is returned back. You have no indication that anything goes wrong and the current view is untouched. So how to handle ajax requests when session expires ?


    I've tried a plenty of solutions described on several forums. Bellow I'm going to describe what works for me.

    Web application descriptor

    First configure web.xml descriptor to use faces servlet, session timeout, welcome facelet and form authentication:


    <web-app xmlns=""






            <servlet-name>Faces Servlet</servlet-name>














            <realm-name>My realm</realm-name>






    Faces configuration

    The JSF2 implementation fires phase events before and after each life cycle phase. These events are handled by phase listeners and you may implement your own and register it in faces-config.xml.

    Also note the navigation rule to home page.


    <faces-config xmlns=""

















    Phase listener

    If the user is not authenticated you want to be notified very early, ideally before a view is rendered.


    public class SessionExpirationPhaseListener implements PhaseListener {


        public PhaseId getPhaseId() {

            return PhaseId.RESTORE_VIEW;




        public void beforePhase(PhaseEvent event) {




        public void afterPhase(PhaseEvent event) {

            FacesContext context = FacesContext.getCurrentInstance();


            HttpServletRequest httpRequest = (HttpServletRequest) context.getExternalContext().getRequest();

            if (httpRequest.getRequestedSessionId() != null && !httpRequest.isRequestedSessionIdValid()) {

                String facesRequestHeader = httpRequest.getHeader("Faces-Request");

                boolean isAjaxRequest = facesRequestHeader != null && facesRequestHeader.equals("partial/ajax");


                // navigate to home page only for ajax requests

                if (isAjaxRequest) {

                    ConfigurableNavigationHandler handler = (ConfigurableNavigationHandler) context.getApplication().getNavigationHandler();






    Redirecting to home page subsequently enforces the from authentication's redirect to login page.

    Last but not least the logic should be implemented in after phase, read BalusC comment why.