1 2 Previous Next 16 Replies Latest reply on Nov 19, 2007 1:56 PM by Sheng Huang

    Difference between session timeout and not logged in yet

    Sheng Huang Newbie

      Good afternoon,

      Does anyone know the difference between session timeout and not logged in yet? It is easy to configure my application to redirect to the login page using attribute login-view-id of pages.xml for both scenarios.

      However, I want to display a message like "You session times out. Please login again" for the first session timeout scenario to differ from the second not logged in scenario.

      Is there a way that I can approach this in Seam? Thank you very much for your help.

      Regards,
      Sheng

        • 1. Re: Difference between session timeout and not logged in yet
          Waseem Quraishi Newbie

          to restrict a page, in pages.xml:

           <page view-id="/report.xhtml" login-required="true" />
          


          to redirect to login page, when attempting to access a restricted page:

           <exception class="org.jboss.seam.security.NotLoggedInException">
           <redirect view-id="/login.xhtml">
           <message>Please log in first</message>
           </redirect>
           </exception>
          


          • 2. Re: Difference between session timeout and not logged in yet
            Sheng Huang Newbie

            Hi wquraishi,

            Thanks a lot for your reply. However, I am using exactly the same configuration as yours.

            My question is how to differ session timeout from a newly created session. If I bookmark a page requiring login, it is desired that the application redirects me to the login page and the message "Please log in first" is fine. However, if I have been inactive for a while thus my session times out, it is preferred to display a message like "Your session times out. Please login again".

            Is this possible with Seam?

            Thanks,
            Sheng

            • 3. Re: Difference between session timeout and not logged in yet
              Saeed Iqbal Novice

              seems like a good intuitive idea, how do we get our apps to show session expired message?

              • 4. Re: Difference between session timeout and not logged in yet
                Jacob Orshalick Apprentice

                You have to make some assumptions here, but you can basically notify the user when the server session has ended with the following in a PhaseListener:

                @Observer("org.jboss.seam.beforePhase")
                public void beforePhase(PhaseEvent event)
                {
                 if(event.getPhaseId() == PhaseId.RESTORE_VIEW)
                 {
                 HttpServletRequest request =
                 (HttpServletRequest) FacesContext.getCurrentInstance()
                 .getExternalContext().getRequest();
                
                 if(request.getRequestedSessionId() != null
                 && request.getSession().isNew())
                 Events.instance().raiseEvent("org.myOrg.sessionExpired");
                ...


                Based on general cookie settings this will raise the event when the user still has the browser window open, the http session expired, and the user tries to access the app. If the user closes and reopens the browser to start the application, the event will not be raised.

                This of course makes the assumption that cookies expire when the browser session is ended (which is generally the case). Good luck.

                • 5. Re: Difference between session timeout and not logged in yet
                  Sheng Huang Newbie

                  Good afternoon Jacob,

                  Thanks a lot for the reply. I followed your suggestion but still have a problem. That is, I cannot add a message to be displayed on the logon page.

                  In my components.xml,




                  In my AuthenticatorAction, I have
                  public void sessionExpired() {
                  FacesMessages.instance().add("Your session is expired, please login again");
                  }

                  I got an warning and the message is not displayed. I also tried to inject facesMessages
                  @In(create=true)
                  FacesMessages facesMessages;
                  Then use
                  facesMessages.add("Your session is expired, please login again");
                  Then I got another warning saying facesMessages cannot be null. I checked the forum and one user says facesMessages is not available at the RESTORE_VIEW phase.

                  Could you give me more information regarding how to make this work or there is a possible workaround? Thank you very much for your help.

                  Have a nice day!

                  Best regards,
                  Sheng

                  • 6. Re: Difference between session timeout and not logged in yet
                    Sheng Huang Newbie

                    Sorry that don't know why some contents do not get displayed.
                    My components.xml is as follows:




                    Thanks,
                    Sheng

                    • 8. Re: Difference between session timeout and not logged in yet
                      Sheng Huang Newbie

                      Sorry in my components.xml, I have the following setup:
                      event type="sessionExpired"
                      action expression="#{authenticator.sessionExpired}"

                      Thanks,
                      Sheng

                      • 9. Re: Difference between session timeout and not logged in yet
                        Jacob Orshalick Apprentice

                         

                        "xshuang" wrote:
                        Then I got another warning saying facesMessages cannot be null. I checked the forum and one user says facesMessages is not available at the RESTORE_VIEW phase.


                        Yes, you can maintain a list of custom messages in an appropriately scoped component. Observe the event as you are and add the session expired message to your message component.

                        Then prior to rendering the login page, invoke your messages component to add the messages to FacesMessages (which you can do by specifying an action in pages.xml). FacesMessages will be available in the context at that time. This serves as a workaround which I have used on several occasions for messages that are initiated prior to the RESTORE_VIEW.

                        Also, if anyone else has a better way to initiate messages prior to RESTORE_VIEW I would certainly like to hear it :) Hope that helps.



                        • 10. Re: Difference between session timeout and not logged in yet
                          Pete Muir Master

                          Jacob, we could add a specific session expired event to Seam as well as a new session event. Please file a feature request with the code snippets you posted above.

                          • 12. Re: Difference between session timeout and not logged in yet
                            Sheng Huang Newbie

                            Good morning Jacob,

                            Thanks a lot for the suggestion again. It is nice to have a work-around before a clean solution is implemented by the Seam development team. And I have learned a lot about JSF phases and Seam messages/facesMessages with your code.

                            Now I have the message displayed correctly when a user's session is expired. However, it seems that the PhaseListener also raises the session expiry event when a user logout. My goal is to differ these two scenarios. Is there a way to raise two different events with the PhaseListener?

                            By the way, my implementation is as follows:



                            Code:



                            1. AuthenticatorAction
                            public void sessionExpired() {
                            user.setMessage("user.session.timeout");
                            }
                            Where user is a session scope variable. This serves as the appropriately scoped message component you mentioned.

                            2. pages.xml
                            <page view-id="/security/login.xhtml">



                            ....



                            3. AuthenticatorAction
                            public void displaySessionExpiredMessage() {
                            if (user != null){
                            if (user.getMessage() != null) {
                            FacesMessages.instance().addFromResourceBundle(user.getMessage());
                            }
                            user.setMessage(null);
                            }
                            }





                            Thank you very much for your help and have a nice day.

                            Best regards,
                            Sheng

                            • 13. Re: Difference between session timeout and not logged in yet
                              Jacob Orshalick Apprentice

                              Hmm... yes, I suppose that would be the case if you redirected directly to the login page after logout... I have not had to cover that case.

                              The best option I can think of is putting a page in between that simply displays something like "You have successfully logged out" and then perform a meta redirect to the login page after a few seconds. Very easy to setup with a navigation rule and actually pretty common on web-sites. That should avoid your issue.

                              On another note, there is now an event "org.jboss.seam.loggedOut" but any information you set in the session of course would be lost once the session is invalidated by the logout. I can't think of an way (without some really ugly hacks) that you could use this event to accomplish what you want to do. See the following for more information on this event:

                              http://jira.jboss.com/jira/browse/JBSEAM-2063

                              • 14. Re: Difference between session timeout and not logged in yet
                                Jacob Orshalick Apprentice

                                 

                                The best option I can think of is putting a page in between that simply displays something like "You have successfully logged out" and then perform a meta redirect to the login page after a few seconds.


                                On second look, this should be further specified, sorry. The redirect is going to have to include some information in the URL to indicate that a logout occurred. For example,

                                <meta http-equiv="Refresh"
                                 content="2; URL=/myApp/login.seam?logout=true">


                                This parameter allows you to differentiate between session timeout and logout when adding the message.

                                On further thought, you may also be able to use the logout event to redirect to the login page with the logout parameter provided. This would avoid the page in between. I would certainly like to hear the solution you go with just in case I have to do this myself :)

                                1 2 Previous Next