20

When developing a JSP application it's possible to define a session timeout value, say 30 minutes.

After that timeout, the session object is destroyed. Moreover I can programmatically invalidate a session calling session.invalidate() .

Since I'm saving a complex Java object inside the HTTP session, before invalidate the session or let it expire by the tomcat app server, I need to call a saved object method to release some memory. Of course I can do it programmatically when the user click a logout button.

What I would like to do is intercepting the Tomcat app server when it is going to destroy all expired sessions (30 minutes or custom), so that I can pre-process Java objects saved in the session calling a specific method to release memory.

Is it possible?

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
Cristian D'Aloisio
  • 365
  • 1
  • 3
  • 10

1 Answers1

40

Yes, that's possible. You could use HttpSessionListener and do the job in sessionDestroyed() method,

@WebListener
public class MyHttpSessionListener implements HttpSessionListener {

    @Override
    public void sessionDestroyed(HttpSessionEvent event) {
        // Do here the job.
    }

    // ...
}

Or you could let the complex object which is been stored as a session attribute implement the HttpSessionBindingListener and do the job in valueUnbound() method.

public class YourComplexObject implements HttpSessionBindingListener {

    @Override
    public void valueUnbound(HttpSessionBindingEvent event) {
        // Do here the job.
    }

    // ...
}

It will be called whenever the object is to be removed from the session (either explicitly by HttpSession#removeAttribute() or by an invalidation/expire of the session).

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
  • I successfully tried the suggested method 1, implementing the HttpSessionListener interface and setting the WEB.XML config file with the following setting: `code` sessionListener it.mypackage.mySessionListener `code` – Cristian D'Aloisio Oct 19 '11 at 08:59
  • Yes, that's the old way of registering the listener. You're still using a Servlet 2.5 container like Tomcat 6.0 or older? The new Servlet 3.0 API is already out for almost 2 years. You just put the `@WebListener` annotation on the class and it's registered. – BalusC Oct 19 '11 at 11:34
  • 1
    @BalusC, I am in the same situation. I tried first way. But when the control comes to my listener sessionDestroyed() method, session is already gone. I am not getting value those were set earlier. Any thought. Its quit old thread, sorry for that. – Jaikrat Feb 03 '14 at 13:53
  • That problem is then caused elsewhere (e.g. a misinterpretation). – BalusC Feb 03 '14 at 14:07
  • Is it possible to do a redirect in any of these two methods? I noticed that in ValueUnbound, you cannot because FacesContext.getCurrentInstance().getExternalContext() returns a null. As for the 1st one, I cannot figure out how to get access to the response object. Is this possible, or is it not, because the page the page is stateless at this point? I'm thinking the only way to do a redirect is to use an AJAX request? – JustBeingHelpful Oct 14 '15 at 14:54
  • 1
    @MacGyver: There's not necessarily a HTTP request available during session creation/destroy. Do the job during a real HTTP request only. A servlet filter is helpful (just check some boolean which is put somewhere in session or DB associated with user). – BalusC Oct 14 '15 at 15:04
  • I need to clarify. My application is a rich client app, meaning it runs in a single page using JavaScript. However, the authentication session is persisted with Tomcat. Does a filter require a new HTTP request to occur (from browser to Tomcat server) in order to cause a redirect? I do have a user with a boolean flag on the db side, and can check in filter. But would the filter ONLY redirect upon a new HTTP request? It appears these filters are meant for Cross Site Request Forgery. – JustBeingHelpful Oct 14 '15 at 17:22