Java MVC on Tomcat - Adjust Session-Timeout reaction?

[Mercious]

Hey there,

 

i have a Java MVC Web Application that uses the Spring-Library for the Backend and then JSP files for the frontend.

 

Now, in various JSP files i am using Ajax to have some smooth design when needed.

 

This whole application is running on an Apache Tomcat Server.

I have to admit that i am still very new in the whole Web-Development thing, so bare with me.Following problem: In the current state, i feel like the tomcat server is automatically handeling the Sesions, including session-timeouts.

So, i can specify the time when a session is supposed to count as timed out and everything, the server recognized this correctly and whenever i try to request something with a timedout session the server automatically logs me out and brings me back to the login page.

I havent found any implementation of such behavior in the source-code, hence i assume that this is somehow implemented by some standard tomcat routine.

The problem with this behavior is, that the server sends a 302 redirect message specifying the login-Page as Location in the response-header.

While this works fine for normal requests it is bad for ajax-requests, as these cannot handle 302 codes. The browser catches that one and the ajax-call has no chance to ever process the reply. I am experiencing weird cookie problems and i supsect that this might be the cause of the problem.

 

Now, it shouldnt be hard to check whether or not a request is done by an ajax-call or not. However, i have no clue WHERE i should do so.

Edit: I know that there is a way of specifying Filters and there is a way of setting up a listner that gets informed about Session-creations and destructions. However, none of these suit what i want. I need to cut in at a level that allows me to process a request, see if it is an ajax-call and then see if the session used along it is timed out and then i need to be able to decide how i respond to it.

Using a filter i am BEHIND that step. I get controll when stuff regarding session timeout has happened already.

Using a Session-Lifetime listner i do not have any infromation about the request. I cannot respond to anyone because i have no information about any Requests.

 

How could i go about implementing my custom session-timeout behavior without interfering with the servers implementation?Am i even right assuming that the server automatically handles these cases? It feels kind of odd that the server knows that it has to logg someone out and also knows what to redirect to.

Thanks in advance If there are any questions regarding mine ... ask away

Edited March 5, 2015 by Mercious

[justsomeguy]

While this works fine for normal requests it is bad for ajax-requests, as these cannot handle 302 codes.

Sure it can. You can get the response code from the server in the ajax handler to check if it's 302, and you can get the location header using the getResponseHeader method in the XHR object:https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequestI've never actually tried to do that with ajax, though. I haven't tested to figure out whether the browser will actually redirect and then send the redirected response back to the ajax callback, or if the ajax callback will actually receive the 302 response directly.

[Mercious]

Sure it can. You can get the response code from the server in the ajax handler to check if it's 302, and you can get the location header using the getResponseHeader method in the XHR object:https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequestI've never actually tried to do that with ajax, though. I haven't tested to figure out whether the browser will actually redirect and then send the redirected response back to the ajax callback, or if the ajax callback will actually receive the 302 response directly.

 

Thanks for the effort, however it wasnt just a random guess from my side. Ajax-calls do not ever receive notification incase the server returns a 302. The browser jumps in before the ajax-script receives information. It then fires (the browser) a new ajax-request for the resource mentioned in the Location-Header. And THEN the ajax gets the response of whatever is returned by that server upon that second request.

[justsomeguy]

Now, it shouldnt be hard to check whether or not a request is done by an ajax-call or not. However, i have no clue WHERE i should do so.

One way to do that would be to use a header. When you send the ajax request you can add a custom header to indicate that it's ajax, then you can check for that header on the server.

[Mercious]

One way to do that would be to use a header. When you send the ajax request you can add a custom header to indicate that it's ajax, then you can check for that header on the server.

I get the idea, however this is both not necessary as well as the wrong level of problem i am dealing with.

Ajax-Requests are already marked with "X-Requested-With" and then the appropiate value in their Request-Header.

However, the problem i have is that in terms of session-handeling: The tomcat handles this. I do not have access to what happens if a request uses a timed out session. I do not act on this, the tomcat server does. And even if i define filters, for example, i STILL am only granted access AFTER the tomcat has already dealt with the session-timeout.

I hope this makes clear what the problem is?

[justsomeguy]

If you send a request and they are not logged in, and you can detect that the request was sent with ajax, then instead of redirecting you can output a response for the ajax request saying what the situation is. You have some JSP code or something that would handle the session checking and redirecting, right?

[Mercious]

Thats the point, i really dont.

I feel like tomcat has a standard implementation that also supports things such as migrating session among server cluster nodes.At no point in my source code am i checking for session timeouts, yet session timeouts do happen and i can also adjust the time in the web.xml file.

 

I have not implemented this functionality, so there are 2 options: Its either a standard implementation by the tomcat server OR the Hybris Platform, which my software is based on.

[justsomeguy]

It's not the session timeout that's important, it's that the user has no session at all or is not logged in. Your code can't necessarily tell the difference between a timeout and someone who never logged in trying to access a page. So, on those pages, if they aren't logged in and the request was sent with ajax you can change the response format.You might also want to consider implementing some sort of heartbeat so that the session does not time out as long as the site is open. If your sessions time out after 20 minutes of inactivity, then you can have some Javascript on the page that uses setInterval to run every 15 minutes and send an ajax request to the server just to keep the session alive for as long as they have the page open.

[Mercious]

Thats an interesting point.

I always thought that session timeout is something different as no session at all.So, i guess the tomcat is handeling the sessions in the background and invalidates them as soon as they expire. Meaning a users request with a timed out session is esentially the same as a requesrt by a user that is not logged in?Then, i infact know where this happens in my code and i might be able to adjust it.I just hope this fixes my original problem. The problem is that when i trigger a session timeout with a specific ajax-script, this ajax-script stops working after i logg back in. ONLY this particular script ALWAYS receives a redirect as answer, because the server wrongly assumes that the user is logged out.

I observed this in depth in another thread on SO, but i doubt that i am allowed to link to it here. Basically, the ajax-call brings up cookies from an old session, quite randomly. And i think this might cause it.

I was lead to believe that this happens because the ajax-script never was notified that its supposed to clear cookies or whatever, as the redirect-response happening on session-timeout is not handled by the script but by the browser.

[justsomeguy]

Meaning a users request with a timed out session is esentially the same as a requesrt by a user that is not logged in?

I haven't looked at Tomcat specifically, but I imagine that's true. I don't think they would want to make a distinction between someone who shows up with an expired session, where they delete the session at that point before potentially starting a new one, versus someone whose session already got automatically deleted by the garbage collector after it expired. Or maybe even someone who has never logged in at all. That's how PHP handles it, anyway. You can't tell the difference from within PHP whether they had an expired session and started a new one, or no session at all. The page just knows that their session doesn't have any data in it.

Basically, the ajax-call brings up cookies from an old session, quite randomly. And i think this might cause it.

Unless one of the parameters that ajax sends is something like a session ID (rather than propagating the session ID in a cookie), I don't think that would happen. The browser should send the same set of cookies with every request to a particular domain and path (depending on the cookie settings). If I open a tag and log in, then I open a separate tab and log out, then go back to the first tab, when I click another link it will know that I'm logged out. If logging out deleted the session cookie, then going back to the first page where I was logged in and clicking another link will not cause the browser to send the cookie, because it was deleted in the other tab. Browsers don't keep track of cookies like that, they just have a global cookie store for a particular domain, and when it sends a request to that domain (from any tab or window) then it gathers all of the cookies and sends them. If a cookie gets deleted or changed it happens for all future requests to the domain.

[Mercious]

I could potentially link you to a SO question where i have a very indepth analysis of this behavior going on. It indeed does happen and there is no logical reason as to why it happens. Nothing in my code ever makes the ajax-script set that second cookie and yet it magically appears after session timeout.

I swear to you, its weird as ###### and noone as figured out what causes it yet.