I have a webpage that, after logging in, you basically sit at one page and do several things that result in AJAX requests.
Since AJAX requests are no different than normal HTTP requests, they extend the session's expiration when they reach the server, as desired.
I have no problem with this, as the user's session should only be extended if they interact with the server, and that makes sense.
Since the user basically stays on this one page, I want to be able to notify them when their session has expired, instead of them finding out the hard way when they try to hit the server with whatever action after this timeout has occurred.
So I've been asked to implement something like what I see often on banks' websites, where a popup (alert
) comes up right before the user's session expires. I don't need it to come up right before, but "as soon as" it expires (or as close as I can, after it happens), so the user can't do anything on the page and accidentally be redirected to the login page.
My original idea was to poll the server and check every 30 seconds or so. The problem with this is that the AJAX request resets the session's expiration (which is 30 minutes), nullifying the point of using this polling.
Of course, one "solution" is to handle this in the Javascript - when a normal action's AJAX request is received, reset a timer. This timer would be run 30 minutes after it's set. And I know this wouldn't be too hard because I could attach it to the global AJAX handler of jQuery so that it resets the timer after every successful AJAX call, but it doesn't seem right to me to keep track of the session timing out in two places. I'd much rather "waste" resources and make an AJAX call pretty often. I just don't want the user to have to do something to find out when their session expires - if they leave their computer for 31 minutes, I want there to be a message when they get back saying their session has expired and they'll be redirected.
From the many articles/explanations I've looked through, I really can't find anything that applies to my situation. I've seen things that use Spring Security, but we unfortunately are not using that because we don't use a normal username/password scheme and couldn't figure out how to customize it to work.
I've seen the terms "Filter" or "Intercept" thrown around but I'm not sure if I can use them, because it seems to be a Security thing.
So basically, I'm looking for some way to be able to have an HTTP request check when the session expires, without resetting its expiration. I'd basically just need to respond with some form of true/false based on that (which I can figure out).
I'd really like to keep this handling on the server, and allow polling to catch when the session has timed out, so the HTTP request needs to be able to see the current state of the session and analyze, but not reset the timeout.
If it helps, my session is declared like this:
@Component
@Scope(value = "session", proxyMode = ScopedProxyMode.TARGET_CLASS)
public class UserDataSession {
And my controllers use it like this:
@Autowired
private UserDataSession userDataSession;
Is there some way to bypass the resetting of a session's expiration in a Request's mapping?
You could make an ajax request that doesn't send any cookies or jsession id, so the server thinks its a new session, and will not extend the real session. You would also need to pass the jsession id to the server in another manner, so the server can look up the session to see if it needs to be expired.
Here are some ideas for blocking cookies: Prevent Cookies From Being Sent on AJAX Request
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With