user action past <session-timeout> results in a 500
If I open a page on my JSF/Facelets site and take no action past <session-timeout> (30 min by default), any user action (ie. any POST) thereafter results in a 500. The logs say that JSF was unable to "Restore View" during phase 6. The only fix for user at that point is to enter site's address in the address bar. I'd like to achieve the following behavior:
1.if a user was NOT logged in before leaving the browser idle, then clicking on any h:commandLink should work exactly as if no inactivity took place
2.if a user was logged in before leaving the browser idle, then clicking on any h:commandLink should take the user to a "sorry, session expired, please login again" page.
Is the above possible?
I'm especially puzzled as to why case #1 is currently resulting in a 500. Since Tomcat deletes HttpSession at <session-timeout>, shouldn't the subsequent h:commandLink POST be treated as a "new session" request and requisite managed beans and view should be created from scratch?
Setup: Tomcat 5.5.17, JSF 1.2_01 FCS, Facelets 1.11
thanks in advance,
-nikita
You can implement a FILTER which will check for the session and if the session is new, then it will direct the user to an error page asking him to re-login
that may cover case 2, but not case 1. What if user is clicking on h:commandLink that doesn't need him to be logged in? seems to me there should be a way to take him there w/o redirects to other pages even if s/he been idle past session timeout. am i wrong?
As soon as the user logs in into the system, set something into the Session and keep checking for this parameter in the Filter.
Scenario 1:
1) If the user has never logged in, and let the browser idle, this parameter will never be in the session, so in your filter you can throw him back to the login page.
2) If the user has logged in before, then you wuld have set the session parameter. So for every request it will pass through the filter. When the session times out, then this parameter will be NULL and hence it can be caught in the filter and sent him to login page.
So you can cover both the scenarios using a FILTER class.
Perhaps I explained my case 1 poorly - it is a case when user's browsing that part of the site that does NOT require login:
-user opens site home page
-user idles past <session-timeout>
-user clicks on "Help" h:commandLink that does NOT require authentication
In the above scenario the desired behavior is to take user directly to Help view - as if s/he hadn't idled. That is because no authentication is required to be authenticated to view "help" and user shouldn't care that our website application maintains some state that at some point expires. However, w/ JSF I get ViewExpiredException because I suppose JSF stores some session state in HttpSession and does not know how to handle "session's been deleted" condition.
Hi,
JSF stores the entire View in the session. But, upon session expiry, if the user clicks on any link, then it should/will not fail because, if the view does not exsit in session, then it will recreate the view.
I did the following experiment:
Created an App with two JSP's.
Set the session time out to 1 min
In the first JSP I had a command Link upon clicking it will go to second JSP.
First time the following are the sequence of phases it went through
ENTERING : RESTORE_VIEW 1
/Test.jsp
/Test.jsp
EXITING : RESTORE_VIEW 1
ENTERING : APPLY_REQUEST_VALUES 2
/Test.jsp
/Test.jsp
EXITING : APPLY_REQUEST_VALUES 2
ENTERING : PROCESS_VALIDATIONS 3
/Test.jsp
/Test.jsp
EXITING : PROCESS_VALIDATIONS 3
ENTERING : UPDATE_MODEL_VALUES 4
/Test.jsp
/Test.jsp
EXITING : UPDATE_MODEL_VALUES 4
ENTERING : INVOKE_APPLICATION 5
/Test.jsp
/Test.jsp
EXITING : INVOKE_APPLICATION 5
ENTERING : RENDER_RESPONSE 6
/Test.jsp
/Test.jsp
EXITING : RENDER_RESPONSE 6
I waited for the session to expire and then click on the link again,
then it did the following:
ENTERING : RESTORE_VIEW 1
/Test.jsp
/Test.jsp
EXITING : RESTORE_VIEW 1
ENTERING : RENDER_RESPONSE 6
/Test.jsp
/Test.jsp
EXITING : RENDER_RESPONSE 6
that is because, since it did not find the view in the session, it recreated the view and stored it in the session. Before the session expired I clicked on the link again and it went toTest2.jsp.
I agree - that is exactly the behavior that I expected to see. However, in my app I get ViewExpiredException POST'*** anything after session-timeout.
I'm wondering whether the culprit has to do with my specific setup:
JSF RI 1.2_01 fcs
Facelets 1.11
using XHTML (not JSP)
I will create a similar simple test case w/ above setup and report back on what I see.
I believe the Dukes are yours, but of course I won't mind any future input ;-
thanks
-nikita
Hello,Post your test results as and when it is available. We will work and get this resolved.
