struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "K.C. Baltz" <>
Subject Re: How to differentiate between timed-out user and new user?
Date Thu, 10 Jul 2003 04:07:05 GMT
This solution worked great.  Just to finish the topic, here's what I did 
based on TPP's advice:

- Created a Filter which examines the session ID of every request.  If 
the sessionID is invalid, it is compared to a Set of known SessionIDs.  
If the Set contains the ID, then the user has timedout and is redirected 
to an appropriate page.   Here are the relevant methods of the 
TimeoutFilter class:

    HashSet previousSessionIDs;

    public void init(javax.servlet.FilterConfig filterConfig)
        throws javax.servlet.ServletException
          // Get the target redirect page from the web.xml config.
        timeoutPage = filterConfig.getInitParameter("timeoutPage");

    public void doFilter(ServletRequest servletRequest, ServletResponse 
        FilterChain filterChain) throws, 
        HttpServletRequest request = (HttpServletRequest)servletRequest;
        HttpServletResponse response = (HttpServletResponse)servletResponse;
        if( !request.isRequestedSessionIdValid() )
            if( previousSessionIDs.contains( 
request.getRequestedSessionId() ) )
                log.debug( "We have seen this session ID before" );
                RequestDispatcher rd = 
                rd.forward( request, response );
                log.debug( "We have not seen this session ID before" );
        filterChain.doFilter(request, response);

I use a SessionListener to record the SessionIDs when they are created.  
I'm not sure yet how I'm going to handle the Set filling up with 
SessionIDs.  I'll have to find some way to expire them.


Paananen, Tero wrote:

>>I'm dealing with the issue of session timeout and I'm
>>having trouble figuring out how I can tell when a user
>>is making a request after their session has timed out.
>>I'd like to present them with a message indicating that
>>fact, rather than just assuming they're a new user and 
>>sending them on to the login page.  Is there any way to 
>>detect this?
>Store the session ID the user is associated with
>in the persistent user repository when the user
>logs in. Clear it when the user logs out.
>On every request, capture the session ID the browser
>is sending you either as a cookie or a request parameter.
>If the session has timed out, search the user repository
>for the same session ID.
>If you find one, you'll know the session has timed out
>(user never logged out, so the session ID was not cleared).
>If you don't find one (or there is no session ID sent
>from the browser), it's a new user.
>				-TPP
>This email may contain confidential and privileged material for the sole use of the intended
recipient(s). Any review, use, retention, distribution or disclosure by others is strictly
prohibited. If you are not the intended recipient (or authorized to receive for the recipient),
please contact the sender by reply email and delete all copies of this message.  Also, email
is susceptible to data corruption, interception, tampering, unauthorized amendment and viruses.
We only send and receive emails on the basis that we are not liable for any such corruption,
interception, tampering, amendment or viruses or any consequence thereof.
>To unsubscribe, e-mail:
>For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message