Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do I execute an authenticated AJAX request without resetting the tomcat's session timeout?

I've got an existing Grails Web application that is in production and has a 30 minute session timeout. We are running Tomcat (tcServer).

When a user is authenticated and on certain pages I want to make some periodic polling ajax requests to the server that do not extend this 30 minute session timeout - so that our session timeout isn't thwarted.

The question is similar to this unanswered asp.net question, but none of the answers there will do and this in the Java/Tomcat realm.

How do I execute an authenticated AJAX request without resetting the tomcat's session timeout?

Is there some sort of filter or url-matching mechanism that I can use to exclude requests from extending the session timeout?

like image 292
Colin Harrington Avatar asked Jan 29 '11 00:01

Colin Harrington


People also ask

Does Ajax call reset session timeout?

yes, it does. it doesn't matter whether you actually use the Session or not. However, if you're using only ajax calls, you might run into some problems.

Do Ajax calls keep session alive?

Yes it's safe. As far as load, that's up to your hardware and how you write it, but it has no worse effect than users refreshing the page (arguably less considering the overhead of an AJAX call over a standard page load). You can adjust the timeout in the web.


1 Answers

I'd go with a Grails filter that does something similar to what The-MeLLeR is proposing without the unnecessary loop through all sessions:

class AjaxTimeoutFilters {

   int sessionTimeout = 30 * 60 * 1000
   private static final String TIMEOUT_KEY = 'TIMEOUT_KEY'

   def filters = {
      all(controller:'*', action:'*') {
         before = {
            if (request.xhr) {
               Long lastAccess = session[TIMEOUT_KEY]
               if (lastAccess == null) {
                  // TODO
                  return false
               }
               if (System.currentTimeMillis() - lastAccess > sessionTimeout) {
                  session.invalidate()
                  // TODO - render response to trigger client redirect
                  return false
               }
            }
            else {
               session[TIMEOUT_KEY] = System.currentTimeMillis()
            }

            true
         }
      }
   }
}

The session timeout should be dependency-injected or otherwise kept in sync with the value in web.xml.

There are two remaining issues. One is the case where there's an Ajax request but no previous non-Ajax request (lastAccess == null). The other is how to redirect the browser to a login page or wherever you need to go when there's an Ajax request after 30 minutes of no non-Ajax activity. You'd have to render JSON or some other response that the client would check to know that it's been timed out and do a client-side redirect.

like image 118
Burt Beckwith Avatar answered Oct 27 '22 20:10

Burt Beckwith