Differentiate between session destroyed by timeout and session destroyed manually in session timeout listener

Question

I want to implement a listener that will be called if the session is expired, I found out that I could create a listener that implements the interface HttpSessionListener, and override the method sessionDestroyed

public class SessionListener implements HttpSessionListener {

   @Override
   public void sessionCreated(HttpSessionEvent sessionEvent) {
      // TODO Auto-generated method stub
   }

   @Override
   public void sessionDestroyed(HttpSessionEvent sessionEvent) {
         // TODO Auto-generated method stub         
   }
}

but the problem is this method is called each time the session is destroyed, such as login and logout, So how do I know that the session is destroyed after session is expired, or if there's another solution other than HttpSessionListener.

PS: I'm using Spring framework in the application.

Attention: sessionDestroyed is called when the session is deleted, this is sometimes later than the timeout -- Have look at this question and anser, it is not an answer for your question, but it is something you should know http://stackoverflow.com/questions/5390177/httpsessionlistener-not-detecting-session-timeout — Ralph, Nov 06 '13 at 08:45
I don't think you can differentiate between the two scenarios "out of the box" with a session listener. Why do you need to? — NilsH, Nov 06 '13 at 08:48

score 0 · Answer 1 · answered Nov 06 '13 at 09:30

Maybe you can try guessing like this :

possible_timeout = (CurrentTime - LastAccessedTime) >= MaxInactiveInterval.

// HttpServlet

protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

    System.out.println("Inside doGet(HttpServletRequest,HttpServletResponse)");

    HttpSession session = request.getSession(true);
    System.out.println("Session Id : " +session.getId() );
    System.out.println( "Is New Session : " + session.isNew() );

    int timeout = 10;
    session.setMaxInactiveInterval(timeout);

    System.out.println( "Max Inactive Interval : " + session.getMaxInactiveInterval() );

    System.out.println("Exiting doGet(HttpServletRequest,HttpServletResponse)");
    System.out.println();

}


// SessionEventListener

public void sessionCreated(HttpSessionEvent httpSessionEvent) {
    System.out.println("In sessionCreated(HttpSessionEvent) ");
    HttpSession httpSession = httpSessionEvent.getSession();
    System.out.println("Session Id :"+httpSession.getId() );
    System.out.println("Exiting sessionCreated(HttpSessionEvent) ");
    System.out.println();
}


public void sessionDestroyed(HttpSessionEvent httpSessionEvent) {

    System.out.println("In sessionDestroyed(HttpSessionEvent) ");

    HttpSession httpSession = httpSessionEvent.getSession();
    long createdTime = httpSession.getCreationTime();
    long lastAccessedTime = httpSession.getLastAccessedTime();
    int maxInactiveTime = httpSession.getMaxInactiveInterval();
    long currentTime = System.currentTimeMillis();

    System.out.println("Session Id :"+httpSession.getId() );
    System.out.println("Created Time : " + createdTime);
    System.out.println("Last Accessed Time : " + lastAccessedTime);
    System.out.println("Current Time : " + currentTime);
    boolean possibleSessionTimeout = (currentTime-lastAccessedTime) >= (maxInactiveTime*1000);

    System.out.println("Possbile Timeout : " + possibleSessionTimeout);
    System.out.println("Exiting sessionDestroyed(HttpSessionEvent)");
    System.out.println();
}

And the output is as follows :

Inside doGet(HttpServletRequest,HttpServletResponse)
In sessionCreated(HttpSessionEvent) 
Session Id :39F84968757E85ED89E7565639322F1F
Exiting sessionCreated(HttpSessionEvent) 

Session Id : 39F84968757E85ED89E7565639322F1F
Is New Session : true
Max Inactive Interval : 10
Exiting doGet(HttpServletRequest,HttpServletResponse)

In sessionDestroyed(HttpSessionEvent) 
Session Id :39F84968757E85ED89E7565639322F1F
Created Time : 1383729761582
Last Accessed Time : 1383729761587
Current Time : 1383729815839
Possbile Timeout : true
Exiting sessionDestroyed(HttpSessionEvent)

I observed that there the timeout is not necessarily detected immediately. It appears that there is a thread that checks periodically for session timeouts. Also, there is a check made on each request.

I have tested this in weblogic server when session timeout inside a servlet. but the difference is ~500ms short from the actual difference. any idea? — Lahiru Ruhunage, Jun 01 '15 at 11:43
@LahiruRuhunage by short do you mean that the timeout occurs before the configured interval? That does not make any sense. If you mean its more, it could simply mean that the container checks every half a second approx for session timeouts (for the given load that you had). — Ravindra HV, Jun 01 '15 at 18:51
Yes it was short when i check the time difference when session timeout. I don't know exactly the what is the reason. May be I have to get the ceiling value. But I did not try that as I used a filter to track the session timeout. — Lahiru Ruhunage, Jun 04 '15 at 06:38

Differentiate between session destroyed by timeout and session destroyed manually in session timeout listener

1 Answers1