会话已过期-如何在浏览器的原始选项卡中终止会话 [英] Session expired - How to terminate the session in the original tab of the browser

查看:273
本文介绍了会话已过期-如何在浏览器的原始选项卡中终止会话的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我有一个Web应用程序,其中我将最长不活动时间设置为10分钟.这只是出于测试目的.基本上,如果会话超时并且我单击链接,则以下窗口浏览器将检查会话是否有效.这也很好.如果发生这种情况,我会收到一条消息,提示会话已过期,请重新登录".但是原始窗口保持打开状态,如果我单击相同的链接,即使我没有再次登录,这次还是可以看到该页面.为什么会这样?

如果会话已过期,我正在使用session.invalidate(),以确保删除了所有属性,但这以某种方式不起作用.

我在页面开头使用以下代码部分:

if(request.isRequestedSessionIdValid() == false)
{
     response.sendRedirect("expired.jsp");
     session.invalidate();
     return;
}

这是第一次加载此页面时的工作,但是如果我再次单击链接以再次加载它,即使会话超时,也无法满足此条件.

请问您有什么建议吗?


更新:我的Web应用程序通过以下方式工作:

用户进入index.jsp页面并使用ID和密码来访问系统,然后有一个BRMspace.jsp页面,其中有一个文件夹结构供用户访问,具体取决于他们使用的文档.通过单击每个文件夹,将显示一个已填充数据库的表,供用户下载所需的文档.

我遇到的问题是,闲置10分钟后,如果用户单击初始屏幕上的一个文件夹,则不会显示数据库,而是收到一条消息,指出会话已过期,并且我已重定向到登录页面,非常理想.但是,如果再次单击同一文件夹,则这次将获得包含数据和所有文档的常用表.似乎单击一下后,静止时间不再有效....所以我不确定该怎么做...我正在使用session.invalidate()删除有关该会话的所有数据,但是obvioulsy无法正常工作. /p>

无论用户单击何处,我都需要在不活动时间之后再次将用户重定向到登录页面.

这是一个更新:

您好,我必须重新回答这个问题,这对于解决90%的原始问题非常有帮助,但是我的Web应用程序上还剩下一个...,当用户登录时,他们已经单击选项列表,每次单击会将它们带到一个新的选项卡,它们是不同的.jsp文件...如果会话已过期,则这些选项卡将显示expired.jsp文件,这很完美...但是,原始选项卡,即用户登录后显示的那一个保持活动,我的意思是,这并不表示该会话已过期...在这种情况下我该怎么办?...

解决方案

Web会话与任何登录或访问凭据无关.它只是意味着容器中保存有为您保存的数据,如果您传入正确的会话令牌(通过cookie或request参数),则可以检索该数据.如果您在站点上处于非活动状态一段时间(在您的情况下为10分钟),则该数据将被丢弃,并且如果您检查会话的有效性,您将发现数据仍然存在还是已被丢弃.如果会话已过期,容器将自动创建一个新会话供您处理将来的请求.而且,如果在超时到期之前向服务器发送了另一个请求,则该请求的会话将无效.

如果您试图阻止人们未登录时访问页面,则实际上需要在表示他们已通过身份验证的会话中添加一些值,然后检查该值.仅检查其请求的会话是否有效是不够的.

I have a web app in which I have set the maximum inactivity time to 10 min. This is just for testing purposes. Basically, if the session has timeout and I click on a link, the following window browser checks if the session is valid. This is also working fine. If this happens, I get a message saying "session has expired, please login again". But the orginal window stays open and if I click on the same link, then this time is letting me see the page, even though I have not logged in again. Why is this?

I am using the session.invalidate() if the session is expired, to make sure all attributes are removed, but this is not working somehow.

I using the following part of the code at the beginning of the page:

if(request.isRequestedSessionIdValid() == false)
{
     response.sendRedirect("expired.jsp");
     session.invalidate();
     return;
}

This is working the first time this page is loaded, but if I click on the link again to load it once more, this condition is not met, despite the session being timeout.

Could you please give any advice?


Update: My webapp works the following way:

User gets to the index.jsp page and uses an ID and password to access the system, then there is a BRMspace.jsp page where there is a folder structure for the user to access depending on the documents they are after. By clicking on each folder, a table with a database populated is displayed for the user to download the documents they want.

The issue I am having is that after 10 min of inactivity, if the user clicks on one folder on the initial screen, the database is not displayed, instead I get a message saying that session has expired and I am redirected to the login page, which is ideal. However, if I click on the same folder again, this time I get the usual table with the data and all documents. It seems that after one click, the inactivity time is not longer valid.... so I am not sure how to do... I am using session.invalidate() to delete all data about the session, but obvioulsy is not working.

I need the user to be redirected to login page again after the inactivity time no matter where the user clicks on.

This is an update:

Hi there, I have to re-take this question, which has been very helpful to resolve 90% of my original issue, but I still have one left.... on my web application, when user logins, they have a list of options to click on, each click takes them to a new tab which are different .jsp files... if session has expired, these tabs show the expired.jsp file, which is perfect... however, the original tab, the one that is shown after the user logins, stays live, I mean, it does not show that the session has expired... what can I do in this case?...

解决方案

A web session doesn't have anything to do with any login or access credentials. It simply means that the container has data saved for you that can be retrieved if you pass in the correct session token (either by cookie or request parameter). If you have been inactive on the site for a period of time (in your case 10 minutes), that data is discarded and if you check for a sessions validity, you will discover whether the data is still around or has been discarded. If the session has expired, the container will automatically create a new session for you to handle future requests. And if another request is sent to the server before the timeout expires, that requested session will not be invalid.

If you are trying to prevent people from access a page when they have not logged in, you actually need to put some value into the session that says they have authenticated, and check that value. Just checking whether their requested session is valid is not sufficient.

这篇关于会话已过期-如何在浏览器的原始选项卡中终止会话的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆