Jsp – Session timeout upon refresh at login page

I made a really simple login and session structure for reuse in my future JSP based applications. It's like this:

web.xml (the 1 minute timeout is to test my problem):

<session-config>
 <session-timeout>1</session-timeout>
</session-config>

<filter>
 <filter-name>Access</filter-name>
 <filter-class>com.app.Access</filter-class>
</filter>

<filter-mapping>
 <filter-name>Access</filter-name>
 <url-pattern>*</url-pattern>
</filter-mapping>

<servlet>
 <servlet-name>Login</servlet-name>
 <servlet-class>com.app.Login</servlet-class>
</servlet>

<servlet-mapping>
 <servlet-name>Login</servlet-name>
 <url-pattern>/login</url-pattern>
</servlet-mapping>

Access.java filter:

// Check if the page's the login or if the user logged, else asks login
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws ServletException, IOException {
    HttpServletRequest httpRequest = (HttpServletRequest) request;
    boolean logged = httpRequest.getSession(false) != null && httpRequest.getSession().getAttribute("user") != null;
    if (httpRequest.getServletPath().equals("/login") || logged)
        chain.doFilter(request, response);
    else
        ((HttpServletResponse) response).sendRedirect(httpRequest.getContextPath() + "/login");
}

Login.java servlet (authentication shortened for test):

protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
    if (request.getRequestedSessionId() != null && !request.isRequestedSessionIdValid())
        request.setAttribute("failure", "session timeout");
    request.getSession().setAttribute("user", null);
    request.getRequestDispatcher("login.jsp").forward(request, response);
}

protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
    request.getSession().setAttribute("user", new User());
    response.sendRedirect("");
}

And the login.jsp page, at the root of WebContent, has a <form action="login" method="post"> form with appropriated innerHTML for authentication and a ${failure} field to receive a session timeout or a login failed message.

This structure works perfectly for me. It intercepts, asks for login, checks both session and authentication, etc., but there's a small flaw: if you're at the login page and refresh it (either F5 or pressing Enter at the URL) after the timeout, the page receives and shows the "session timeout" message in ${failure}.

I found no real working way yet to make it know that the previous page was the login page. Tried about five different ways without success, including request.getHeader("Referer") and the lastWish tag library.

Best Answer

One way is to let your publicly accessible JSPs (such as the login page) to not create the session at all. Requesting a JSP page namely implicitly creates the session by default. This can be achieved by adding the following line to top of JSP:

<%@page session="false" %>

This way request.getRequestedSessionId() will return null and thus the timeout check will be bypassed. The session will this way then only be created when you actually login the user. I'd only remove the following line from the servlet since that makes no sense and would still create the session:

request.getSession().setAttribute("user", null);

Best Answer

Related Solutions

Java – Forward request from servlet to jsp

Related Topic