I have a need in porting an older app to Wildfly 11 to allow certain http access URLs to be invoked without keeping the session permanently alive. These accesses do need to know the currently authenticated user and have access to the authenticated session object which contains user info that is required to complete the http request. These requests are used to periodically update numerical indicators in the UI that inform the user about new messages, tasks and documents.
In our current implementation we have a filter that essentially re-implements the session timeout behaviour using an attribute on the session to maintain its own session last access time and then invalidating the session when it thinks it is timed out. It then excludes a particular URL from updating that attribute. This works but it adds another filter to the chain of filters to do something that the platform is already (almost) doing for me. It doesn't seem to be the correct approach and I'd like to lose it if possible.
Is there a "correct" way to implement this sort of behaviour using undertow in wildfly 11? Should I be looking at a different approach, perhaps websockets now that we no longer support IE8 and IE9 is on the way out as well. Does data transferred over a websocket affect the session timeout?
Any suggestions would be welcome.
Currently, there is no mechanism to customize the default lastAccessTime handling upon which session expiration relies. Using a filter to invalidate sessions based on some other criteria is a perfectly reasonable solution.