How do I execute an authenticated AJAX request without resetting the tomcat's session timeout?

Question

I've got an existing Grails Web application that is in production and has a 30 minute session timeout. We are running Tomcat (tcServer).

When a user is authenticated and on certain pages I want to make some periodic polling ajax requests to the server that do not extend this 30 minute session timeout - so that our session timeout isn't thwarted.

The question is similar to this unanswered asp.net question, but none of the answers there will do and this in the Java/Tomcat realm.

How do I execute an authenticated AJAX request without resetting the tomcat's session timeout?

Is there some sort of filter or url-matching mechanism that I can use to exclude requests from extending the session timeout?

Answer 1

I'd go with a Grails filter that does something similar to what The-MeLLeR is proposing without the unnecessary loop through all sessions:

class AjaxTimeoutFilters {

   int sessionTimeout = 30 * 60 * 1000
   private static final String TIMEOUT_KEY = 'TIMEOUT_KEY'

   def filters = {
      all(controller:'*', action:'*') {
         before = {
            if (request.xhr) {
               Long lastAccess = session[TIMEOUT_KEY]
               if (lastAccess == null) {
                  // TODO
                  return false
               }
               if (System.currentTimeMillis() - lastAccess > sessionTimeout) {
                  session.invalidate()
                  // TODO - render response to trigger client redirect
                  return false
               }
            }
            else {
               session[TIMEOUT_KEY] = System.currentTimeMillis()
            }

            true
         }
      }
   }
}

The session timeout should be dependency-injected or otherwise kept in sync with the value in web.xml.

There are two remaining issues. One is the case where there's an Ajax request but no previous non-Ajax request (lastAccess == null). The other is how to redirect the browser to a login page or wherever you need to go when there's an Ajax request after 30 minutes of no non-Ajax activity. You'd have to render JSON or some other response that the client would check to know that it's been timed out and do a client-side redirect.