session timeout


Web tier: servlets, JSP, Web frameworks: session timeout

  1. session timeout (10 messages)

    I am using struts and tomcat and wants the user to be redirected to login page after session timeout. For testing purpose, I set 1 minute session timeout in both tomact and application web.xml files. When specified time ( 1 minute) is passed, I check the session availabilty as below:

    if(request.getSession(false) == null)
     // redirect to login page

    This code doesn't seem to work and user is allowed to continue with his session after timeout period. However, If I set some attribute (say user)in session object during session creation and check for null value of the attribute after one minute, I get null and do the following:

    if((String)request.getSession(false).getAttribute("user")== null)
     // redirect to login page

    This code works fine. Now my question is whether session object exists after timeout and therfore I don't get null in first case. But when timeout is over, attributes set in session are removed automatically and I get null in second case. Seems that the session object relies on server for its GC.

    What happens when session.invalidate() is called: Both attributes and session object are destroyed immediately???

    Please comment.

    Threaded Messages (10)

  2. session timeout[ Go to top ]

    since you are using struts , struts creates a session object by default when u send a request so u will need to use an different object in the session scope
  3. In fact it is the servlet container that creates the session object. Thus there will always be a session object present. What you can do instead is this:

    1) When the session starts (the first page of your web-app), insert an object in the session. In web-apps that
    require login, the user name is normally used. If your app doesn't require login, use any other object.

        request.getSession().setAttribute("user", request.getParameter("user"));
        request.getSession().setAttribute("initialized", "true");

    2) when checking for session timeout, check if that object is available in the session. If the session has timed out since it was initialized, the session will contain no objects.

        if(request.getSession().getAttribute("user") == null){
           // the session is not initialized.
        if(request.getSession().getAttribute("initialized") == null){
          // the session is not initialized.

    That should take care of the problem :-)

    Kind Regards,
    Jakob Jenkov
  4. A little clarification[ Go to top ]

    I didn't read your message correctly before. Some answers:

    1) The servlet container makes sure there is always a session object present. If a session has timed out the servlet container creates a new session object and assigns the browser to it. So, you can never get null from the request.getSession() method.

    2) When a new session is created, it is of course empty. Therefore the
    request.getSession().getAttribute("user") call returns null after a session timeout. And no, you are not using the same session object after a timeout.

    Kind Regards,
    Jakob Jenkov
  5. A little clarification[ Go to top ]

    public HttpSession getSession(boolean create)Returns the current HttpSession associated with this request or, if there is no current session and create is true, returns a new session.

    If create is false and the request has no valid HttpSession, this method returns null.

    create - true to create a new session for this request if necessary; false to return null if there's no current session
    the HttpSession associated with this request or null if create is false and the request has no valid session

  6. about session validate[ Go to top ]

    session initialize by container, different container has their particular implementation. fortunately session.isNew() method tell us the statu of current session. may be  this way is much more better .

  7. session timeout[ Go to top ]

    public void invalidate()Invalidates this session then unbinds any objects bound to it.

    IllegalStateException - if this method is called on an already invalidated session

    It is clear only its unbinds the attributes..... if it had made the session object null....... it would have been a NullPointerException.....which is not the case....

  8. session timeout[ Go to top ]

    Basically ur understanding is right...... the session object depends on the server GC ....... when u invalidate the datastructure is cleaned up and further operations on it are not permitted........ u can't reuse it.....

  9. // These calls create a session if it does not exist.
    // In so doing a viable (possibly empty) session is always available...

    // These calls do not create a session if it does not exist.
    // STRUTS will create a session, so the first call will
    // result in a viable session (reference).

    // A NullPointerException will be raised (third line) after the session invalidated (on the second line)...

    It is a good practice to use the second overloading of getSession() in your code...


    ...because you will not mistakenly lose session attributes, and in any event detect and create a NEW session using ...

  10. loopback[ Go to top ]

    A reentrent bean is capable of participating in loopback call sequances. i.e Bean A Calls a method on Bean B which in turn calls another method on Bean A.

    In general, you don't need reenterant beans, and I beleive you can always design so that you don't end up needing them.

    It would interesting if someone could share an example where he had to !

    ladder racks for trucks cheap


  11. Session Invalidate[ Go to top ]

    Session Invalidate() method removes the attributes bind into the session object as well as the session objects also dies

    where as the request.getSession(false) will return the existing session only, if its not shows null means the session is already existing will be meant.