7 Replies Latest reply on Mar 24, 2004 12:20 PM by martin0

    Session Timeout Routing

    Perry Hoekstra Newbie

      Platform: 3.0.6/Jetty

      Context: During the course of application processing, a session timeout occurs. The application detects this and routes the user to a page indicating that their session has timed out.

      Problem: Even though the timeout page IS OUTSIDE the protected directories, the form-based authentication mechanism is forcing the users to authenticate to see the session timeout page.

      Any thoughts on why form-based auth is intercepting the redirection to a spot outside the protected area and forcing users to authenticate to see the unprotected page?

        • 1. Re: Session Timeout Routing
          Jon Barnett Master

          This is a guess as you haven't given information on what was happening before the timeout.

          I imagine you are in a protected area moving from page to page and your session times out. You try to go to the next page which is protected. You need to log in first, try to go to that page and then get redirected to the timeout page? Just a hypothesis.

          • 2. Re: Session Timeout Routing
            Perry Hoekstra Newbie

            Correct. I can't seem find a way around the issue.

            The other issue with session timeout routing is on a POST. A person enters some data, is called away, and then comes back and pushes the button. The user is reauthenticated and then an attempt is made to validate the data entered. However, the data is not saved on a POST and all the validation fails. I can't find a way to intercept the system directing the user pack to the form. Since their data is gone, I would like to direct them to a neutral page and make them start over again.

            • 3. Re: Session Timeout Routing
              Jon Barnett Master

              When you need to do complex things with authentications and sessions, you sometimes have to resort to doing things your own way. By this, I mean that you have to abandon form-based authentication, or other automatic authentication and employ your own framework.

              We have done this with our applications to achieve custom logons, and redirections to various pages indicating to the user what has happened. It means that for every page, you need to check for valid sessions and redirect accordingly. But you have fine-grained control over incorrect password entries, session-timeouts and you also have control over session recovery. So you have to weigh up the coding cost over the control.

              • 4. Re: Session Timeout Routing
                martin0 Novice

                I'm getting similar strange behaviour which I believe is associated with session timeout.

                Is there any progress in this area? I can't believe this isn't handled properly.

                I need to do some more research, but if anyone as some light to put on this....

                I'm using JBoss 3.2.3 and with Tomcat4.1 bundle (Coyote connector).


                • 5. Re: Session Timeout Routing
                  martin0 Novice

                  Further investigation revealed a bug in my code :-)

                  • 6. Re: Session Timeout Routing
                    martin0 Novice

                    Inspite of my bug fix, I am left with the scenario outlined by dutchman_mn in his second post in this thread.



                    • 7. Re: Session Timeout Routing
                      martin0 Novice

                      Hmm... HttpSessionListener looks interesting...