recognizing session timeout [duplicate]

Asked 5/3, 2013 at 12:28 Answered 9/6, 2016 at 20:3

I am building a java web board game using servlets. I need to know when a user is not answering for 30 secundes, I am using

session.setMaxInactiveInterval(30);

But I need to know on the server side once the time ended so I can make this player quite.

As it is now once the player return and try to do something he will get the timeout and I can see on on the server.

How can I know in the servlet once a session has timeout?!

Thank you.

Entelechy answered 5/3, 2013 at 12:28 Comment(0)

You need to implement the HttpSessionListener interface. It receives notification events when session is created, or destroyed. In particular, its method sessionDestroyed(HttpSessionEvent se) gets called when the session is destroyed, which happens after timeout period has finished / session was invalidated. You can get the information stored in the session via HttpSessionEvent#getSession() call, and later do any arrangements that are necessary with the session. Also, be sure to register your session listener in web.xml:

<listener>
    <listener-class>FQN of your sessin listener implementation</listener-class>
</listener>

If you ultimately want to distinguish between invalidation and session timeout you could use the following line in your listener:

long now = new java.util.Date().getTime();
boolean timeout = (now - session.getLastAccessedTime()) >= ((long)session.getMaxInactiveInterval() * 1000L);

Clairvoyance answered 5/3, 2013 at 12:44 Comment(2)

Thank you, but in this case as well I only get to the sessionDestroyed() after there is a refresh in the browser. Or am I doing something wrong? – Entelechy 5/3, 2013 at 13:23

You don't need to do anything regarding the session timeout, like manipulating the browser, your servlet container will handle that situation for you. Note thought, that session won't be collected exactly after timeout period has run out. The servlet container checks for session that timed out every now and then, and upon finding session that is eligible for destruction, fires the listener method and destroys the session. – Clairvoyance 5/3, 2013 at 13:48

I ended up using the HttpSessionListener and refreshing in an interval larger then setMaxInactiveInterval.

So if the used did nothing for 30 Sec in the next refresh after 40 Sec I get to sessionDestroyed().

Also important that you need to create new ServletContext to get to the ServletContext.

ServletContext servletContext=se.getSession().getServletContext();

Thank you!

Entelechy answered 5/3, 2013 at 14:24 Comment(2)

So you got fixed the issue ?? – Jamin 5/3, 2013 at 15:10

Consider a user opening two browser tabs 20 seconds apart -- this arrangement could lead to them never being logged out if you're not careful. – Diego 31/5, 2017 at 21:38

An alternative to guessing based on the idle interval is to set an attribute in the session when the logout is triggered by the user. For example, if you can put something like the following in the method that handles user triggered logouts:

httpServletRequest.getSession().setAttribute("logout", true);
// invalidate the principal
httpServletRequest.logout();
// invalidate the session
httpServletRequest.getSession().invalidate();

then you can have the following in your HttpSessionListener class:

@Override
public void sessionDestroyed(HttpSessionEvent event) {
    HttpSession session = event.getSession();
    if (session.getAttribute("logout") == null) {
        // it's a timeout
    }
}

Blumenthal answered 9/6, 2016 at 20:3 Comment(0)

Recommended topics

Hot tags