Logout your users automatically after their session times out
One of the common issues I see in webapps is a user leaves their computer, their session times out, and when they come back to do something - the app throws errors b/c their session is null. There are several easy ways to fix this. If you use Container Managed Authentication, the user will likely be prompted to do login and can continue as before. If you're using a slick Remember Me feature (like AppFuse has), the user won't even notice. However, you might not have these options available to you. For those circumstances, I recommend you put a meta-refresh in your app to automatically show the uses a timeout message when their session expires. It's as simple as the following:
<meta http-equiv="Refresh" content="${pageContext.session.maxInactiveInterval}; url=timeout.jsp"/>
I used JSP 2.0's EL in this example for simplification. If you're using a JSP 1.2 container - you'll have to wrap that expression with a <c:out> tag.
Posted by Gabriel Mihalache on April 24, 2004 at 04:00 PM MDT #
Posted by mansoor on April 24, 2004 at 07:39 PM MDT #
Posted by John on April 24, 2004 at 10:41 PM MDT #
Double submissions are always a problem. I prefer to redirect after every POST, and use a syncro token if absolutly necessary.
I don't like the idea of automatic refershing. What if I've half typed in a form? It's not unusual to leave a web page open for a couple days, over a weekend say, before coming back to it.
Posted by Tom Hawtin on April 25, 2004 at 12:15 AM MDT #
Posted by Matt Raible on April 25, 2004 at 12:20 AM MDT #
For example, my bank times me out quite quickly, as it should. Often, though, I want my statement or balance to hang around on the screen longer than that. It would be annoying if the bank decided for me how long I could stay on a page.
Posted by Charles Miller on April 25, 2004 at 04:51 PM MDT #
One thing that works really well is the HttpSessionListener. Use this to carry out the necessary 'user is logged out' behaviour on the server. Then use a Filter to check when the user requests something.
Of course, if your users are timing out, perhaps your timeout is too short (banks and other financial institutions excluded).
Posted by Michael Koziarski on April 25, 2004 at 08:52 PM MDT #
Posted by James A. Hillyerd on April 26, 2004 at 09:48 PM MDT #