3

I can redirect a user to home page upon session logout.. this was very simple. However, if an user had logged into the app and had the page open, even on session time out, he is able to perform all the functions(this is bad).

The redirect does not happen until the page is refreshed, or submitted to the server... there are some update functions that could be done by the user even if he is not currently logged in... I have done a lot of research but unable to fix this solution. I also found this thread but it seems to have no proper answer:

Spring Security 3.1 - Automatically redirect to login page when session-timeout occurs

For example, most of the banking sites log you out after a time out.. they do not wait until you come back and then submit a request before you are redirected to home page.

Community
  • 1
  • 1
user1736333
  • 183
  • 2
  • 3
  • 11
  • I did not get the part where you have mentioned `until page refresh`, are you using only `ajax` on page – Rupesh Oct 12 '13 at 12:58
  • 1
    If someone tries to access an authenticated url, check if the user is present in session or not, if not then redirect to login page. This check has to be at all pages/functions accessible after logging in. – coding_idiot Oct 12 '13 at 20:28

2 Answers2

0

HTTP is stateless. To achieve some form of state the server can maintain a session for each user by giving them a session id on their first request. The user would have to resend that session id on each future request to identify that the other requests happen within the same session.

Because the session is maintained by the server, there is no way to notify the client that the session has timed out.

Instead, if the user makes a new request when the session is timed out, their session ID is no longer good and therefore you can take a particular action like redirect them to login page.

Sotirios Delimanolis
  • 274,122
  • 60
  • 696
  • 724
  • please refer to my comment below. FYI, I am aware that HTTP is stateless. Looks like I have not made myself clear... – user1736333 Oct 12 '13 at 23:00
  • 1
    @user Yes, my second paragraph addresses that. A server (without push) cannot notify a client. You can implement some kind of AJAX request that doesn't reset the counter, but checks if the session is timed out. – Sotirios Delimanolis Oct 12 '13 at 23:15
0

Assuming nothing works out. You may want to consider below mentioned approches:

Approach 1: Create a cookie on browser and have encrypted timestamp in it that will contain last visited/request timestamp from browser, for each request first get get this cookie value and compare with the pre-defined session out time, if session-out time reached then redirect user to error page else serve the request. On logout delete the cookie.

Why encrypted value for timestamp: if somehow user gets to know about cookie used for session timeout then (s)he can change this value in browser and keep on sending this request.

Approach 2: You can also achieve this by making an entry in your database for every logged-in user and updating timestamp in this database for each request. For each incoming request get this timestamp from database and compare it with pre-defined value for timeout and handle accordingly. On logout delete the entry.

In both the approaches explicitly perform response.redirect("errorPageUrl");
Rupesh
  • 2,627
  • 1
  • 28
  • 42
  • Rupesh, I have already done what you have suggested here.Let me explain using a scenario: Event 1) User logs in to the App. Event 2) there is no activity on the app and so the session times out (but the page is still open on the browser). Event 3) user comes back and tries to send a request to the server. Event 4) My code redirects the user to home page. Now, What I want is that, on session time out, the page should have automatically redirected to home page instead of having the user submit a request and then being redirected to the home page. makes sense? – user1736333 Oct 12 '13 at 22:59