I have in my application polling HTTP requests that executed each 5 minutes.
I want to configure those URLs not to change the session expiration. Otherwise my session will never expired (and I do not want it). Was not able to find it in the web.xml and HttpSession documentation.
How is possible to do it?
Added
Very important clarification: the request should be authenticated. It means that the request should be attached to JsessionID that is already authenticated.
Clarification (Added 2)
I do not want the session will expire regardless of whether the user stays active or not. I want the session will expire on the user inactivity and will not be expire if user working on UI. I want the session will expire on the user inactivity in spite of polling requests that come each 5 minutes
This is not supported by standard Servlet API.
Your best bet is to create a global servlet filter (with @WebFilter("/*")) which decreases the HttpSession#setMaxInactiveInterval() every time when the particular URL hits the server, and puts it back to the default value for other URLs. It only requires a bit of basic math.
The relevant bits of the implementation can look like this:
private static final int DEFAULT_EXPIRE_TIME_IN_SECONDS = 1800;
private static final String SKIP_EXPIRE_TIME_ON_URI = "/somePollServlet";
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpSession session = request.getSession();
if (request.getRequestURI().equals(request.getContextPath() + SKIP_EXPIRE_TIME_ON_URI)) {
long lastAccessedTime = session.getLastAccessedTime();
long currentTime = System.currentTimeMillis();
int newExpireTime = DEFAULT_EXPIRE_TIME_IN_SECONDS - (int) ((currentTime - lastAccessedTime) / 1000);
session.setMaxInactiveInterval(newExpireTime);
}
else {
session.setMaxInactiveInterval(DEFAULT_EXPIRE_TIME);
}
chain.doFilter(req, res);
}
There are many approaches to doing this. One of them is to use a javascript for example JQuery . The main idea is regardless of whether a script is polling the server, if there is no activity on the application by the user for example key press, mouse movement etc for a reasonable duration, it needs to be considered that the user is not present and the javascript needs to call the logout url for your applications. Please refer to the provided URL that actually explains the concept very well.
In your case you need a Session management scheme that will expire in N minutes time regardless of whether the user stays active or not. That way you don't need to by pass any authentication or default cookies.
You can achieve it by using two methods proposed here.
- A Scheduled Job which invalidates the session after N minutes from login
- An Header and Filter based approach to decide the session expiration dynamically.
来源:https://stackoverflow.com/questions/39564955/http-session-how-to-configure-urls-that-not-change-the-session-expiration