session timeout with multiple browsers sharing same session


Web tier: servlets, JSP, Web frameworks: session timeout with multiple browsers sharing same session

  1. Any experience handling session timeout with multiple browsers sharing the same session? For example, consider a browser window that opens another browser window in a popup. In IE, these browsers will share the same cookies and thus the same session. I have a servlet filter that detects session expiration and will redirect the requesting browser to the login page. protected boolean isExpiredSession(HttpServletRequest httpRequest) { return httpRequest.getSession().isNew() && (httpRequest.getRequestedSessionId() != null); } This works well for one window. However, the catch is that the related window will now have a refreshed session. Submitting a form from the related window will pass through the filter and may fail upon encountering an expected but missing session variable. (I'm applying this as an afterthought to an application where it is safe to assume that the application isn't asserting non-null on values pulled from the session.) One idea is to add the following to all forms and then update the filter to not only check for expiration but also if the value for createdWithSession is the same as the current session. Thoughts on this or any other solutions? Thanks, Steve
  2. Your ideas sound good but here is what i do. I have a javascript timeout 1 minute before session timeout and redirect the user to login page. The problem with this is that the users will get to see login page in the parent window before the actual session expires ( as some activity is happening on the popup window). The other option i could suggest is to write a cookie containing expiry time on each page access. so this javascript, 1 minute before timeout, can read the cookie from any window and could actually reset the timer to that time??? Pranshu My Blog
  3. You should not use getSession() to check if the session is new because this will include new cookie to response in case the session is new indeed and your related window will have new session id Instead try method like this: protected boolean isExpiredSession(HttpServletRequest httpRequest) { if (httpRequest.getRequestedSessionId() != null) { //will never create new session and thus set new session cookie to response HttpSession session = httpRequest.getSession(false); if (session == null || (session != null && session.isNew())) return true; } return false; }