Re: Session expiration - browser -Web application
@Terence : Thank you for your answer. Actually, I extracted the Java code from the JSP and put it in a TLD so that the code is cleaner and more manageable. Best regards, -- Léa -- View this message in context: http://old.nabble.com/Session-expiration---browser--Web-application-tp32780678p32804141.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Session expiration - browser -Web application
On 1:59 PM, Léa Massiot wrote: @Christopher : Thank you for your answer. Christopher wrote: The new session created is completely empty. It has nothing to do with the user going back in the history, etc. No, you are right. What I meant is that I was/am managing session expiration inside the Webapp (for instance if the user clicks a button which is inside the Webapp and if the session has expired, I redirect him to the log in page). Christopher wrote: I always try to have enough information in the page (form) so that resuming a workflow after a session timeout is a possibility. I'm sorry but I do not understand what you are explaining me here... A SOLUTION... I THINK. I have found a solution, here it is: for all the JSPs which require a user to be identified (*), I add the following code: <% ASessionAttribute aSessionAttribute =ull; HttpSession httpSession =ull; httpSession =equest.getSession(); aSessionAttribute =ASessionAttribute) httpSession.getAttribute("aSessionAttribute"); if(aSessionAttribute =null) { response.sendRedirect("the-log-in-page.jsp"); } %> Then if a user presses the F5 key and if the session has expired, he is properly redirected to the log in page. Best regards, -- Léa (*) That is to say, in my example, the "aSessionAttribute" object musn't be null. Hi, Léa- Using a filter to do this might simplify the code a little. -Terence Bandoian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Session expiration - browser -Web application
Héhé. No comment. Have a good week-end and cheers, -- Léa -- View this message in context: http://old.nabble.com/Session-expiration---browser--Web-application-tp32780678p32783180.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Session expiration - browser -Web application
On 4 Nov 2011, at 19:24, Tim Watts wrote: > Léa, > > Life needn't be this difficult. :-) You're reinventing wheels here > instead of understanding how the wheels you already have work. Again, > read the spec. Pretty please. So many questions will be answered. +1 JSP != PHP The Servlet Container (Tomcat) provides a great deal of functionality for you. http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html p > > > On Fri, 2011-11-04 at 11:55 -0700, Léa Massiot wrote: >> @Christopher : >> Thank you for your answer. >> >> Christopher wrote: >>> >>> The new session created is completely empty. It has nothing to do with the >>> user going back in the history, etc. >>> No, you are right. >> What I meant is that I was/am managing session expiration inside the Webapp >> (for instance if the user clicks a button which is inside the Webapp and if >> the session has expired, I redirect him to the log in page). >> >> Christopher wrote: >>> >>> I always try to have enough information in the page (form) so that >>> resuming a workflow after a session timeout is a possibility. >>> >> I'm sorry but I do not understand what you are explaining me here... >> >> >> A SOLUTION... I THINK. >> I have found a solution, here it is: >> for all the JSPs which require a user to be identified (*), I add the >> following code: >> > Better solution is to check whether the user principle is set. The spec > will explain this. > >> <% >>ASessionAttribute aSessionAttribute = null; >>HttpSession httpSession = null; >> >>httpSession = request.getSession(); >>aSessionAttribute = (ASessionAttribute) >> httpSession.getAttribute("aSessionAttribute"); >> >>if(aSessionAttribute == null) >>{ >>response.sendRedirect("the-log-in-page.jsp"); >>} >> %> >> >> Then if a user presses the F5 key and if the session has expired, he is >> properly redirected to the log in page. >> >> Best regards, >> -- >> Léa >> >> (*) That is to say, in my example, the "aSessionAttribute" object musn't be >> null. > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Session expiration - browser -Web application
Léa, Life needn't be this difficult. :-) You're reinventing wheels here instead of understanding how the wheels you already have work. Again, read the spec. Pretty please. So many questions will be answered. On Fri, 2011-11-04 at 11:55 -0700, Léa Massiot wrote: > @Christopher : > Thank you for your answer. > > Christopher wrote: > > > > The new session created is completely empty. It has nothing to do with the > > user going back in the history, etc. > > No, you are right. > What I meant is that I was/am managing session expiration inside the Webapp > (for instance if the user clicks a button which is inside the Webapp and if > the session has expired, I redirect him to the log in page). > > Christopher wrote: > > > > I always try to have enough information in the page (form) so that > > resuming a workflow after a session timeout is a possibility. > > > I'm sorry but I do not understand what you are explaining me here... > > > A SOLUTION... I THINK. > I have found a solution, here it is: > for all the JSPs which require a user to be identified (*), I add the > following code: > Better solution is to check whether the user principle is set. The spec will explain this. > <% > ASessionAttribute aSessionAttribute = null; > HttpSession httpSession = null; > > httpSession = request.getSession(); > aSessionAttribute = (ASessionAttribute) > httpSession.getAttribute("aSessionAttribute"); > > if(aSessionAttribute == null) > { > response.sendRedirect("the-log-in-page.jsp"); > } > %> > > Then if a user presses the F5 key and if the session has expired, he is > properly redirected to the log in page. > > Best regards, > -- > Léa > > (*) That is to say, in my example, the "aSessionAttribute" object musn't be > null. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Session expiration - browser -Web application
On Fri, 2011-11-04 at 13:07 -0400, Christopher Schultz wrote: > On 11/4/11 12:04 PM, Léa Massiot wrote: I would basically echo what Chris said. > >> [Tim wrote:] I'm assuming (perhaps incorrectly) you've already > >> got some declaration in there for form authentication? > > What are you thinking about? Can you be more precise? > "Form authentication" is part of the servlet spec. The spec is quite precise and fairly accessible reading. As Chris said, read the sections on authentication and authorization. Trust me, you'll be glad you read it. The servlet 2.5 spec is here: http://download.oracle.com/otn-pub/jcp/servlet-2.5-mrel2-eval-oth-JSpec/servlet-2_5-mrel2-spec.pdf > If users are logging-into your webapp, presumably they are providing a > username and password (or other credentials): where do you have that > configured? > > - -chris > -BEGIN PGP SIGNATURE- > Version: GnuPG/MacGPG2 v2.0.17 (Darwin) > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk60G7QACgkQ9CaO5/Lv0PDIlACgoqsUbBg77GjOYVIbSfkAMbQW > I7AAoIXZVd5nMgT4v8fUeXnQTqcpJLmA > =IxaF > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Session expiration - browser -Web application
@Christopher : Thank you for your answer. Christopher wrote: > > The new session created is completely empty. It has nothing to do with the > user going back in the history, etc. > No, you are right. What I meant is that I was/am managing session expiration inside the Webapp (for instance if the user clicks a button which is inside the Webapp and if the session has expired, I redirect him to the log in page). Christopher wrote: > > I always try to have enough information in the page (form) so that > resuming a workflow after a session timeout is a possibility. > I'm sorry but I do not understand what you are explaining me here... A SOLUTION... I THINK. I have found a solution, here it is: for all the JSPs which require a user to be identified (*), I add the following code: <% ASessionAttribute aSessionAttribute = null; HttpSession httpSession = null; httpSession = request.getSession(); aSessionAttribute = (ASessionAttribute) httpSession.getAttribute("aSessionAttribute"); if(aSessionAttribute == null) { response.sendRedirect("the-log-in-page.jsp"); } %> Then if a user presses the F5 key and if the session has expired, he is properly redirected to the log in page. Best regards, -- Léa (*) That is to say, in my example, the "aSessionAttribute" object musn't be null. -- View this message in context: http://old.nabble.com/Session-expiration---browser--Web-application-tp32780678p32782585.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Session expiration - browser -Web application
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Léa, On 11/4/11 12:04 PM, Léa Massiot wrote: > @Tim : Thank you for your answer. > >> [Tim wrote:] "Uncertain" is a bit vague. > Yes. Ok. This is my understanding which is "uncertain" then. What > happens is what you wrote: "a new session for the user with _none_ > of the objects from the old session in it". The new session created is completely empty. It has nothing to do with the user going back in the history, etc. If you have a lot of data in the request parameters that can keep the state of the workflow sane, then that's a different story. I always try to have enough information in the page (form) so that resuming a workflow after a session timeout is a possibility. This is something you will have to code into your own webapp: it's not something Tomcat can provide for you. >> [Tim wrote:] If every page in the web app is supposed to require >> authentication you need to declare that in web.xml. > Can you tell me how? Read-up on the servlet spec, specifically the "authentication and authorization" sections. Look for and sections in web.xml. >> [Tim wrote:] I'm assuming (perhaps incorrectly) you've already >> got some declaration in there for form authentication? > What are you thinking about? Can you be more precise? If users are logging-into your webapp, presumably they are providing a username and password (or other credentials): where do you have that configured? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk60G7QACgkQ9CaO5/Lv0PDIlACgoqsUbBg77GjOYVIbSfkAMbQW I7AAoIXZVd5nMgT4v8fUeXnQTqcpJLmA =IxaF -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Session expiration - browser -Web application
@Tim : Thank you for your answer. > [Tim wrote:] "Uncertain" is a bit vague. Yes. Ok. This is my understanding which is "uncertain" then. What happens is what you wrote: "a new session for the user with _none_ of the objects from the old session in it". > [Tim wrote:] If every page in the web app is supposed to require > authentication you need to declare that in web.xml. Can you tell me how? > [Tim wrote:] I'm assuming (perhaps incorrectly) you've already got some > declaration in there for form authentication? What are you thinking about? Can you be more precise? I guess I should have examined this issue sooner but things are the way they are, aren't they? Thank you and best regards, -- Léa -- View this message in context: http://old.nabble.com/Session-expiration---browser--Web-application-tp32780678p32781413.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Session expiration - browser -Web application
On Fri, 2011-11-04 at 07:16 -0700, Léa Massiot wrote: > Hello, > > Thank you for reading my post. > > Maybe my question is not purely related to "Tomcat" but here is my problem: > - a user logs into my Webapp; > - his session expires; > - if he: > - presses the F5 key (browser refresh functionality), This creates a new session for the user with _none_ of the objects from the old session in it (because it expired). > - goes back to the previous screen using the browser "go back one > page" button... > all that was stored in the session is lost and the Webapp behaviour is > uncertain. "Uncertain" is a bit vague. This could be a design problem in the app, e.g. if some objects are simply assuming that the session contains certain other objects then you should expect unexpected behaviour. My guess is the behaviours you see are quite certain, just not well understood. > Instead, I wish I go direct him to the Webapp log in page. If every page in the web app is supposed to require authentication you need to declare that in web.xml. I'm assuming (perhaps incorrectly) you've already got some declaration in there for form authentication? > > My Webapp "itself" behaves properly. > My problem occurs only if the user uses browser functionalities or buttons. > > I don't know how to deal with that issue. > Can you help me? > > Best regards, > -- > Léa - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Session expiration - browser -Web application
Hello, Thank you for reading my post. Maybe my question is not purely related to "Tomcat" but here is my problem: - a user logs into my Webapp; - his session expires; - if he: - presses the F5 key (browser refresh functionality), - goes back to the previous screen using the browser "go back one page" button... all that was stored in the session is lost and the Webapp behaviour is uncertain. Instead, I wish I go direct him to the Webapp log in page. My Webapp "itself" behaves properly. My problem occurs only if the user uses browser functionalities or buttons. I don't know how to deal with that issue. Can you help me? Best regards, -- Léa -- View this message in context: http://old.nabble.com/Session-expiration---browser--Web-application-tp32780678p32780678.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org