开发者

Programmatically change session timeout

开发者 https://www.devze.com 2023-03-09 04:04 出处:网络
I can logout user after defined time of inactivity. <session-timeout>240</session-timeout>

I can logout user after defined time of inactivity.

<session-timeout>240</session-timeout> 

But, is there some way to logout in specified time, or better, fo开发者_如何学运维r example until 5 minutes of inactivity after specified time.?


You can change the session timeout by HttpSession#setMaxInactiveInterval() wherein you can specify the desired timeout in seconds.

When you want to cover a broad range of requests for this, e.g. all pages in folder /admin or something, then the best place to do this is to create a Filter which is mapped on the FacesServlet which does roughly the following job:

@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws ServletException, IOException {
    HttpServletRequest request = (HttpServletRequest) req;
    HttpSession session = request.getSession();

    if (request.getRequestURI().startsWith("/admin/")) {
        session.setMaxInactiveInterval(60 * 5); // 5 minutes.
    } else {
        session.setMaxInactiveInterval(60 * 240); // 240 minutes.
    }

    chain.doFilter(req, res);
}

In a JSF managed bean the session is available by ExternalContext#getSession():

HttpSession session = (HttpSession) FacesContext.getCurrentInstance().getExternalContext().getSession();
// ...

Or when you're already on JSF 2.1, then you can also use the new ExternalContext#setSessionMaxInactiveInterval() which delegates to exactly that method.


Automatically - no.

You'd have to:

  • store all sessions in a Set. Do this in a HttpSessionListener when they are created.
  • at the given time (using quartz for example) .invalidate() them


What Bozho has given you is correct, what you are seeing most likely is that when you press your logout button, the session is being destroyed, but the servlet container is then being directed to a "post logout" page, which automatically causes a session to be created (Hence "Session Destroyed" followed by "Session Created").

Short of creating your own session handling system, I don't know how you would get around this. (I've had this issue in the past and it disappeared after we created our own session system)

0

精彩评论

暂无评论...
验证码 换一张
取 消