1

I'm having a problem in identifying a session timeout page and a page navigated directly...

user will first fill a form and submits it, based on the search he will land on information page. for some reason if he try to type the url of information page instead of coming through search page how can i restrict him? i tried using an indicator varaible in session, but that is getting in conflict with session timeout.... how do i differentiate if it is session timeout or direct navigation? could someone please shed some light on this and point me in right direction?

kumar
  • 15
  • 5

2 Answers2

1

From my understanding your question is: User should not be able to access a certain page say Page1.xhtml directly. He should first fill in a form on page2.xhtml and then should be directed to this page by the server itself.

Solution:

  1. You could put the page1.xhtml inside web-inf directory of your webapp, which will restrict direct access to your webpage.

  2. You could you use securityConstraint tag of the web.xml and make use of container security to restrict direct access.

NiranjanBhat
  • 1,812
  • 13
  • 17
  • Thank you for the reply... my problem was solved by setting my session filter correctly... i didn't yet get a chance to look at container security... i'll look into that... – kumar Jan 20 '12 at 01:07
0

You could test for a server side session timeout as follows:

if (request.getRequestedSessionId() != null && !request.isRequestedSessionIdValid()) {
    // The session has been timed out (or a hacker supplied a fake cookie).
}

The request is here the HttpServletRequest which you can obtain in the JSF context from the ExternalContext#getRequest() or, actually better, inside a Filter by just downcasting the ServletRequest argument.

As a completely different alternative, you could also introduce a timed ajax poll as a "heartbeat" so that the session never expires as long as the user has the page open in the browser.

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
  • Thank you for the suggestion... i was doing that in a filter, in else case of the above suggested step i was checking for session from the request if it is null i'm trying to redirect it to homepage but i'm getting response has already been committed error... – kumar Jan 19 '12 at 18:48
  • Then you're doing it at the wrong moment in the filter or not understanding how Java code works in general and expecting that calling a method with a certain name would magically skip the remnant of the code. See also http://stackoverflow.com/questions/2123514/java-lang-illegalstateexception-cannot-forward-after-response-has-been-committe/2125045#2125045 – BalusC Jan 19 '12 at 18:55
  • Thanks again BalusC you have pointed me in a right direction... i was missing a case and return... – kumar Jan 20 '12 at 01:05