View Full Version : SessionExpiry on non-ajax requests

12 May 2013, 5:44 AM
Hello, please can you advise on the following:

I am attempting to handle session expiry by logging out user
when they resend a request after the session has already expired.

I can handle the case where ajax requests are sent following session
timeout and returning an error status which is caught by the event
handler Ext.Ajax.on('requestcomplete', function (conn, response, options)...
The event handler will then redirect user to login screen.

However I am not sure how to handle the below 2 cases (and also cases
which do not involve ajax):
i.e. if the user chooses to view the iframe with an embedded pdf
after the session has expired/timed-out, is it possible to invoke
a handler to log the user out?

case 1) the iframe src calls a servlet

Ext.define('App.view.Reports', {
items: [{
xtype: 'image',
width: 50,
height: 50,
tooltip: 'today',
listeners: {
render: function(c) {
c.getEl().on('click', function(e) {
var myWin = Ext.create("Ext.window.Window", {
title: 'HTML Window',
layout: 'fit',
modal: true,
html: '<iframe src="report/Report.action?user=me&days=1" width="100%" height="100%">',
width: 1000,
height: 500
}, c);

case 2) same as 1) except the iframe src invokes a static url.

html: '<iframe src="resources/pdfs/ALP1_A4.pdf" width="100%" height="100%" ></iframe>',

12 May 2013, 3:28 PM
I have an app which has a similar requirement (sans the iframe stuff). What I do is manage a timer on the client side that is updated everytime an Ajax request is made. If the app continues without an AJAX calls, the client-side timer will eventually reach 0, at which point I automatically fire the events that would be announced if an Ajax request were made, but the session had expired.

It's not 100% precise, since the client is only in sync with the server-side session in so far as the Ajax requests are being made, but it is close and may be an easy way for you to handle your requirement.

24 May 2013, 7:41 AM
Thank you for your reply.

My solution has been to send an extra Ajax 'checkAlive' request prior
to sending non-ajax requests. If an HttpSession has expired the session
is invalidated (set to null) and on each Ajax request, a response (403)
may be returned indicating session expired. This is caught using
not sure this is as appropriate as your solution.

Wiith your solution, is it possible that the client-side timer might conflict
with the session-timeout (in web.xml) that is set on the server - or do you
disable this? Are there any other advantages of your solution?

Thank you,

28 May 2013, 4:41 AM
I do the same as existdissolve and handle the session timeout client-side, via a custom ExtJs component. I set the session timeout value of the web container approximately two minutes lower than the timeout used on the client; this allows for any 'slop factor' on the container, where Tomcat in particular isn't extremely precise when it comes to session timeouts.