在登录页面刷新时会话超时 [英] Session timeout upon refresh at login page
问题描述
我做了一个非常简单的登录和会话结构,可以在将来的基于JSP的应用程序中重用.就像这样:
I made a really simple login and session structure for reuse in my future JSP based applications. It's like this:
web.xml (1分钟超时是为了测试我的问题):
web.xml (the 1 minute timeout is to test my problem):
<session-config>
<session-timeout>1</session-timeout>
</session-config>
<filter>
<filter-name>Access</filter-name>
<filter-class>com.app.Access</filter-class>
</filter>
<filter-mapping>
<filter-name>Access</filter-name>
<url-pattern>*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>Login</servlet-name>
<servlet-class>com.app.Login</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Login</servlet-name>
<url-pattern>/login</url-pattern>
</servlet-mapping>
Access.java 过滤器:
// Check if the page's the login or if the user logged, else asks login
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws ServletException, IOException {
HttpServletRequest httpRequest = (HttpServletRequest) request;
boolean logged = httpRequest.getSession(false) != null && httpRequest.getSession().getAttribute("user") != null;
if (httpRequest.getServletPath().equals("/login") || logged)
chain.doFilter(request, response);
else
((HttpServletResponse) response).sendRedirect(httpRequest.getContextPath() + "/login");
}
Login.java Servlet(为了进行测试,身份验证已缩短):
Login.java servlet (authentication shortened for test):
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
if (request.getRequestedSessionId() != null && !request.isRequestedSessionIdValid())
request.setAttribute("failure", "session timeout");
request.getSession().setAttribute("user", null);
request.getRequestDispatcher("login.jsp").forward(request, response);
}
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
request.getSession().setAttribute("user", new User());
response.sendRedirect("");
}
位于WebContent根目录的 login.jsp 页面具有一个<form action="login" method="post">表单,其中包含用于身份验证的适当innerHTML和一个 $ {failure} 字段,用于接收会话超时或登录失败消息.
And the login.jsp page, at the root of WebContent, has a <form action="login" method="post"> form with appropriated innerHTML for authentication and a ${failure} field to receive a session timeout or a login failed message.
此结构非常适合我.它会拦截,要求登录,同时检查会话和身份验证等,但是存在一个小缺陷:如果您位于登录页面并在超时后刷新它(F5或按URL上的Enter),该页面会接收并在$ {failure}中显示会话超时"消息.
This structure works perfectly for me. It intercepts, asks for login, checks both session and authentication, etc., but there's a small flaw: if you're at the login page and refresh it (either F5 or pressing Enter at the URL) after the timeout, the page receives and shows the "session timeout" message in ${failure}.
我发现还没有一种真正的工作方法可以让我们知道上一页是登录页面.尝试了五种不同的方法但没有成功,包括request.getHeader("Referer")和lastWish标记库.
I found no real working way yet to make it know that the previous page was the login page. Tried about five different ways without success, including request.getHeader("Referer") and the lastWish tag library.
推荐答案
一种方法是让您公开访问的JSP(例如登录页面)完全不创建会话.默认情况下,请求JSP页面即隐式创建会话.这可以通过在JSP的顶部添加以下行来实现:
One way is to let your publicly accessible JSPs (such as the login page) to not create the session at all. Requesting a JSP page namely implicitly creates the session by default. This can be achieved by adding the following line to top of JSP:
<%@page session="false" %>
这样,request.getRequestedSessionId()将返回null,因此将跳过超时检查.然后,仅当您实际登录用户时,才以这种方式创建会话.我只会从Servlet中删除以下行,因为这没有任何意义,并且仍然会创建会话:
This way request.getRequestedSessionId() will return null and thus the timeout check will be bypassed. The session will this way then only be created when you actually login the user. I'd only remove the following line from the servlet since that makes no sense and would still create the session:
request.getSession().setAttribute("user", null);
这篇关于在登录页面刷新时会话超时的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
