Matt RaibleMatt Raible is a Web Developer and Java Champion. Connect with him on LinkedIn.

The Angular Mini-Book The Angular Mini-Book is a guide to getting started with Angular. You'll learn how to develop a bare-bones application, test it, and deploy it. Then you'll move on to adding Bootstrap, Angular Material, continuous integration, and authentication.

Spring Boot is a popular framework for building REST APIs. You'll learn how to integrate Angular with Spring Boot and use security best practices like HTTPS and a content security policy.

For book updates, follow @angular_book on Twitter.

The JHipster Mini-Book The JHipster Mini-Book is a guide to getting started with hip technologies today: Angular, Bootstrap, and Spring Boot. All of these frameworks are wrapped up in an easy-to-use project called JHipster.

This book shows you how to build an app with JHipster, and guides you through the plethora of tools, techniques and options you can use. Furthermore, it explains the UI and API building blocks so you understand the underpinnings of your great application.

For book updates, follow @jhipster-book on Twitter.

10+ YEARS


Over 10 years ago, I wrote my first blog post. Since then, I've authored books, had kids, traveled the world, found Trish and blogged about it all.

Logout your users automatically after their session times out

One of the common issues I see in webapps is a user leaves their computer, their session times out, and when they come back to do something - the app throws errors b/c their session is null. There are several easy ways to fix this. If you use Container Managed Authentication, the user will likely be prompted to do login and can continue as before. If you're using a slick Remember Me feature (like AppFuse has), the user won't even notice. However, you might not have these options available to you. For those circumstances, I recommend you put a meta-refresh in your app to automatically show the uses a timeout message when their session expires. It's as simple as the following:

<meta http-equiv="Refresh" 
  content="${pageContext.session.maxInactiveInterval}; url=timeout.jsp"/>

I used JSP 2.0's EL in this example for simplification. If you're using a JSP 1.2 container - you'll have to wrap that expression with a <c:out> tag.

Posted in Java at Apr 24 2004, 07:33:10 AM MDT 8 Comments
Comments:

The loading of the page and the refresh are not instantaneous, so I'd rather have the user refresh *at least* 10 seconds before the session times out. Container Manager Authentification can be simulated programatically, with a filter. Save the URL of the page which gave the security error and then redirect the user there after a succesful login. Either way, you'll loose the data in the session. I also wouldn't recommend this for pages reachable through a form submit, unless you're ok with the form being submited with each submit.

Posted by Gabriel Mihalache on April 24, 2004 at 04:00 PM MDT #

it will cause problem, if the user has not checked double submission, and auto refresh re submitts the old form :). It might need some more

Posted by mansoor on April 24, 2004 at 07:39 PM MDT #

It only submits the old form, if the page didn't come from a redirect, like it should have :)

Posted by John on April 24, 2004 at 10:41 PM MDT #

Double submissions are always a problem. I prefer to redirect after every POST, and use a syncro token if absolutly necessary.

I don't like the idea of automatic refershing. What if I've half typed in a form? It's not unusual to leave a web page open for a couple days, over a weekend say, before coming back to it.

Posted by Tom Hawtin on April 25, 2004 at 12:15 AM MDT #

To be honest, the only reason I wrote this post was because I saw it on my bank's site today - and I thought it worked quite well. They logged me out, rather than giving me an error when I tried to click on a link. As I integrated it into AppFuse, it hit me that having "remember me" functionality would solve any timeout issues b/c the re-login is transparent to the user. Therefore, I didn't add it. Duplicate posts can be easily solved, depending on your framework.

Posted by Matt Raible on April 25, 2004 at 12:20 AM MDT #

I'd recommend not doing this. It steals control of the browser away from the user, which is something that should be avoided unless absolutely necessary. It's much better just to have decent recovery from lost sessions so that when the user tries to do the _next_ thing, they're prompted to log in.

For example, my bank times me out quite quickly, as it should. Often, though, I want my statement or balance to hang around on the screen longer than that. It would be annoying if the bank decided for me how long I could stay on a page.

Posted by Charles Miller on April 25, 2004 at 04:51 PM MDT #

I work for a bank which does this, definitely not your bank matt! It's the source of many complaints, often people leave the browser window lying around with the intention of using it later as Charles suggests.

One thing that works really well is the HttpSessionListener. Use this to carry out the necessary 'user is logged out' behaviour on the server. Then use a Filter to check when the user requests something.

Of course, if your users are timing out, perhaps your timeout is too short (banks and other financial institutions excluded).

Posted by Michael Koziarski on April 25, 2004 at 08:52 PM MDT #

I think my bank (or maybe it was paytrust?) pops up a javascript alert window when the session is about to timeout. I think the ok/cancel buttons can either renew the session, or log you out.

Posted by James A. Hillyerd on April 26, 2004 at 09:48 PM MDT #

Post a Comment:
  • HTML Syntax: Allowed