JSF Session Expired Timeout Solution

Posted by: Techie Exchange on: February 21, 2008

• In: J2EE | Java | Java EE | JSF | SEAM | Tips and Tricks | Web Application
• 16 Comments

With JSF, a clean Session expiry or timeout is not easy to implement. So, I would like to post a solution that you can integrate it as out-of-box with your JSF applications.

Here is a better version of code with syntax highlight:

http://techieexchange.blogspot.com/2008/02/jsf-session-expiry-timeout-solution.html

Step 1:

/**

* When the user session timedout, ({@link #sessionDestroyed(HttpSessionEvent)}) method will be invoked.

* This method will make necessary cleanups (logging out user, updating db and audit logs, etc…)

* As a result; after this method, we will be in a clear and stable state. So nothing left to think about

* because session expired, user can do nothing after this point.

*

* Thanks to hturksoy 

*
*/

public class MySessionListener implements HttpSessionListener {

public MySessionListener() {

}

public void sessionCreated(HttpSessionEvent event) {

System.out.println(“Current Session created : “ + event.getSession().getId() + ” at “+ new Date());

}

public void sessionDestroyed(HttpSessionEvent event) {

// get the destroying session…

HttpSession session = event.getSession();

System.out.println(“Current Session destroyed :” + session.getId() + ” Logging out user…”);

/*

* nobody can reach user data after this point because session is invalidated already.

* So, get the user data from session and save its logout information

* before losing it.

* User’s redirection to the timeout page will be handled by the SessionTimeoutFilter.

*/

// Only if needed

try {

prepareLogoutInfoAndLogoutActiveUser(session);

} catch(Exception e) {

System.out.println(“Error while logging out at session destroyed : “ + e.getMessage());

}

}

/**

* Clean your logout operations.

*/

public void prepareLogoutInfoAndLogoutActiveUser(HttpSession httpSession) {

// Only if needed

}

}

Step 2:

/**

*When the session destroyed, MySessionListener will do necessary logout operations.

* Later, at the first request of client, this filter will be fired and redirect

* the user to the appropriate timeout page if the session is not valid.

* 

* Thanks to hturksoy

*

*/

public class SessionTimeoutFilter implements Filter {

 // This should be your default Home or Login page
// “login.seam” if you use Jboss Seam otherwise “login.jsf” / “login.xhtml” or whatever

private String timeoutPage = “login.seam”;

public void init(FilterConfig filterConfig) throws ServletException {

}

public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException,

ServletException {

if ((request instanceof HttpServletRequest) && (response instanceof HttpServletResponse)) {

HttpServletRequest httpServletRequest = (HttpServletRequest) request;

HttpServletResponse httpServletResponse = (HttpServletResponse) response;

// is session expire control required for this request?

if (isSessionControlRequiredForThisResource(httpServletRequest)) {

// is session invalid?

if (isSessionInvalid(httpServletRequest)) {

String timeoutUrl = httpServletRequest.getContextPath() + “/” + getTimeoutPage();

System.out.println(“Session is invalid! redirecting to timeoutpage : “ + timeoutUrl);

httpServletResponse.sendRedirect(timeoutUrl);

return;

}

}

}

filterChain.doFilter(request, response);

}

/*

* session shouldn’t be checked for some pages. For example: for timeout page..

* Since we’re redirecting to timeout page from this filter,

* if we don’t disable session control for it, filter will again redirect to it

* and this will be result with an infinite loop…

*/

private boolean isSessionControlRequiredForThisResource(HttpServletRequest httpServletRequest) {

String requestPath = httpServletRequest.getRequestURI();

boolean controlRequired = !StringUtils.contains(requestPath, getTimeoutPage());

return controlRequired;

}

private boolean isSessionInvalid(HttpServletRequest httpServletRequest) {

boolean sessionInValid = (httpServletRequest.getRequestedSessionId() != null)

&& !httpServletRequest.isRequestedSessionIdValid();

return sessionInValid;

}

public void destroy() {

}

public String getTimeoutPage() {

return timeoutPage;

}

public void setTimeoutPage(String timeoutPage) {

this.timeoutPage = timeoutPage;

}

}

Step 3:

Web.xml<listener>

<listener-class>

com.fpc.carconfig.session.MySessionListener

</listener-class>

</listener>

<filter>

<filter-name>SessionTimeoutFilter</filter-name>

<filter-class>

com.fpc.carconfig.session.SessionTimeoutFilter

</filter-class>

</filter>

<filter-mapping>

<filter-name>SessionTimeoutFilter</filter-name>

<url-pattern>*.seam</url-pattern> // Remember to use your correct URL pattern

</filter-mapping>Thats it.
To check whether this solution works:
Change session timeout to 1 minute in web.xml like this:

<session-config>

<session-timeout>1</session-timeout>

</session-config>

Feel free to share your comments.