recognizing session timeout

java servlets session-timeout

19,664

Solution 1

You need to implement the HttpSessionListener interface. It receives notification events when session is created, or destroyed. In particular, its method sessionDestroyed(HttpSessionEvent se) gets called when the session is destroyed, which happens after timeout period has finished / session was invalidated. You can get the information stored in the session via HttpSessionEvent#getSession() call, and later do any arrangements that are necessary with the session. Also, be sure to register your session listener in web.xml:

<listener>
    <listener-class>FQN of your sessin listener implementation</listener-class>
</listener>

If you ultimately want to distinguish between invalidation and session timeout you could use the following line in your listener:

long now = new java.util.Date().getTime();
boolean timeout = (now - session.getLastAccessedTime()) >= ((long)session.getMaxInactiveInterval() * 1000L);

Solution 2

I ended up using the HttpSessionListener and refreshing in an interval larger then setMaxInactiveInterval.

So if the used did nothing for 30 Sec in the next refresh after 40 Sec I get to sessionDestroyed().

Also important that you need to create new ServletContext to get to the ServletContext.

ServletContext servletContext=se.getSession().getServletContext();

Thank you!

Solution 3

An alternative to guessing based on the idle interval is to set an attribute in the session when the logout is triggered by the user. For example, if you can put something like the following in the method that handles user triggered logouts:

httpServletRequest.getSession().setAttribute("logout", true);
// invalidate the principal
httpServletRequest.logout();
// invalidate the session
httpServletRequest.getSession().invalidate();

then you can have the following in your HttpSessionListener class:

@Override
public void sessionDestroyed(HttpSessionEvent event) {
    HttpSession session = event.getSession();
    if (session.getAttribute("logout") == null) {
        // it's a timeout
    }
}

19,664

Author by

YotamB

Updated on June 17, 2022

Comments

YotamB about 2 years
I am building a java web board game using servlets. I need to know when a user is not answering for 30 secundes, I am using
```
session.setMaxInactiveInterval(30);
```
But I need to know on the server side once the time ended so I can make this player quite.

As it is now once the player return and try to do something he will get the timeout and I can see on on the server.

How can I know in the servlet once a session has timeout?!

Thank you.
YotamB over 11 years

Thank you, but in this case as well I only get to the sessionDestroyed() after there is a refresh in the browser. Or am I doing something wrong?
skuntsel over 11 years

You don't need to do anything regarding the session timeout, like manipulating the browser, your servlet container will handle that situation for you. Note thought, that session won't be collected exactly after timeout period has run out. The servlet container checks for session that timed out every now and then, and upon finding session that is eligible for destruction, fires the listener method and destroys the session.
Suresh Atta over 11 years

So you got fixed the issue ??
Brad Mace about 7 years

Consider a user opening two browser tabs 20 seconds apart -- this arrangement could lead to them never being logged out if you're not careful.