recognizing session timeout

Question

I am building a java web board game using servlets. I need to know when a user is not answering for 30 secundes, I am using

session.setMaxInactiveInterval(30);

But I need to know on the server side once the time ended so I can make this player quite.

As it is now once the player return and try to do something he will get the timeout and I can see on on the server.

How can I know in the servlet once a session has timeout?!

Thank you.

skuntsel · Answer 1 · 2013-03-05T12:56:49.120

18

You need to implement the HttpSessionListener interface. It receives notification events when session is created, or destroyed. In particular, its method sessionDestroyed(HttpSessionEvent se) gets called when the session is destroyed, which happens after timeout period has finished / session was invalidated. You can get the information stored in the session via HttpSessionEvent#getSession() call, and later do any arrangements that are necessary with the session. Also, be sure to register your session listener in web.xml:

<listener>
    <listener-class>FQN of your sessin listener implementation</listener-class>
</listener>

If you ultimately want to distinguish between invalidation and session timeout you could use the following line in your listener:

long now = new java.util.Date().getTime();
boolean timeout = (now - session.getLastAccessedTime()) >= ((long)session.getMaxInactiveInterval() * 1000L);

edited Mar 05 '13 at 12:56

answered Mar 05 '13 at 12:44

skuntsel

11,624
11
44
67

Thank you, but in this case as well I only get to the sessionDestroyed() after there is a refresh in the browser. Or am I doing something wrong? – YotamB Mar 05 '13 at 13:23
You don't need to do anything regarding the session timeout, like manipulating the browser, your servlet container will handle that situation for you. Note thought, that session won't be collected *exactly* after timeout period has run out. The servlet container checks for session that timed out *every now and then*, and upon finding session that is eligible for destruction, fires the listener method and destroys the session. – skuntsel Mar 05 '13 at 13:48

score 1 · Answer 2 · answered Mar 05 '13 at 14:24

1

I ended up using the HttpSessionListener and refreshing in an interval larger then setMaxInactiveInterval.

So if the used did nothing for 30 Sec in the next refresh after 40 Sec I get to sessionDestroyed().

Also important that you need to create new ServletContext to get to the ServletContext.

ServletContext servletContext=se.getSession().getServletContext();

Thank you!

answered Mar 05 '13 at 14:24

YotamB

53
1
2
7

So you got fixed the issue ?? – Suresh Atta Mar 05 '13 at 15:10
Consider a user opening two browser tabs 20 seconds apart -- this arrangement could lead to them *never* being logged out if you're not careful. – Brad Mace May 31 '17 at 21:38

score 1 · Answer 3 · answered Jun 09 '16 at 20:03

An alternative to guessing based on the idle interval is to set an attribute in the session when the logout is triggered by the user. For example, if you can put something like the following in the method that handles user triggered logouts:

httpServletRequest.getSession().setAttribute("logout", true);
// invalidate the principal
httpServletRequest.logout();
// invalidate the session
httpServletRequest.getSession().invalidate();

then you can have the following in your HttpSessionListener class:

@Override
public void sessionDestroyed(HttpSessionEvent event) {
    HttpSession session = event.getSession();
    if (session.getAttribute("logout") == null) {
        // it's a timeout
    }
}

recognizing session timeout

3 Answers3

Linked

Related