Menu
In my application, which runs with Spring Web MVC on Tomcat 7.0, I have certain controllers where, although requests to them will require authentication and a valid session, I don't want the session's expiration timestamp to be updated. In other words, I want the session to expire exactly when it would have had this particular HTTP request not happened.
These are AJAX methods if it matters, though I don't know if it does.
Can this be done through either generic Java EE or some special Tomcat hooks? Is there another way to achieve this? I know about http://download.oracle.com/javaee/6/api/javax/servlet/http/HttpSession.html#setMaxInactiveInterval%28int%29 but that seems like almost the opposite of what I want.
351
No. Before Spring and your application have a chance to handle the HTTP request coming from the browser of the current user, the current user's session has been renewed by tomcat according to Servlet specification. So Spring and your application have no way to control renewing the current user's session.
The "7.6 Last Accessed Times" of servlet-3_1-final.pdf says "The the session is considered to be accessed when a request that is part of the session is first handled by the Servlet container."
If Tomcat is the Servlet container.
When Request.getSession() or getSession(boolean create) are called:
See
Line 2955 of Request.java
and
Line 269 of Session.java
It is said
“/**
* Update the accessed time information for this session. This method
* should be called by the context when a request comes in for a particular
* session, even if the application does not reference it.
*/“
The related implemented class Line 675 of StandardSession.java
Once Request.getSession() or getSession(boolean create) is called the existing session is renewed by update the thisAccessedTime
Shared a debug process to see where the existing session is renewed with
Operations:
See Line 511 of org.apache.catalina.authenticator.AuthenticatorBase refer https://i.sstatic.net/nMQPl.jpg it shows the logic as
timeNow - thisAccessedTimethisAccessedTime with access time.
This is the first place and the only place where the session is renewedAfter that the following call on this method will not call access(), this can be seen when
continue the HTTP request handling progress, in Line 541 of org.apache.catalina.authenticator.AuthenticatorBase filter chain processing Line 110 of org.springframework.security.web.context.HttpSessionSecurityContextRepository.java and Line 130 of org.springframework.security.web.session.ConcurrentSessionFilter.java see https://i.sstatic.net/SsY7j.jpg
Only Tomcat who can control the updating thisAccessedTime to renew the existing session valid time.
Actually the objective is to achieve an effect looks like some special HTTP requests (some special APIs, URLs) can not renew the on line user' session, As a result, if only these APIs call are left, there is no more other normal APIs call appear over a period of valid session interval, then invalidate the session.
Need trade-off according to your scenarios before select one of the following options
A> Find a cutpoint, options can be
javax.servlet.Fitler at the
end of the filter chain of Servlet contextorg.springframework.web.filter.GenericFilterBean at the end of the
filter chain of Sprint internal Filter chain.org.springframework.web.servlet.HandlerInterceptorThen
thisAccessedTimethisAccessedTime. if it is expired then invalidate the sessionB> A customized Filter implementation of javax.servlet.Fitler at the end of the filter chain of Servlet context
Wraper the Request.getSession() and getSession(boolean create) with a completely customized session life circle and session event implementation.
C> Websocket and Long Polling for real-time communication
70
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
