如何在不重置 tomcat 的会话超时的情况下执行经过身份验证的 AJAX 请求? [英] How do I execute an authenticated AJAX request without resetting the tomcat's session timeout?

问题描述

我有一个现有的 Grails Web 应用程序，该应用程序正在生产中，会话超时时间为 30 分钟.我们正在运行 Tomcat (tcServer).

I've got an existing Grails Web application that is in production and has a 30 minute session timeout. We are running Tomcat (tcServer).

当用户通过身份验证并且在某些页面上时，我想向服务器发出一些定期轮询 ajax 请求，这些请求不会延长这 30 分钟的会话超时 - 这样我们的会话超时就不会受到阻碍.

When a user is authenticated and on certain pages I want to make some periodic polling ajax requests to the server that do not extend this 30 minute session timeout - so that our session timeout isn't thwarted.

问题类似于这个未回答的 asp.net 问题，但在 Java/Tomcat 领域中没有任何答案可以解决.

The question is similar to this unanswered asp.net question, but none of the answers there will do and this in the Java/Tomcat realm.

如何在不重置 tomcat 会话超时的情况下执行经过身份验证的 AJAX 请求?

How do I execute an authenticated AJAX request without resetting the tomcat's session timeout?

是否有某种过滤器或 url 匹配机制可以用来排除延长会话超时的请求?

Is there some sort of filter or url-matching mechanism that I can use to exclude requests from extending the session timeout?

推荐答案

我会使用 Grails 过滤器，它执行类似于 The-MeLLeR 所提议的操作，而不会在所有会话中进行不必要的循环:

I'd go with a Grails filter that does something similar to what The-MeLLeR is proposing without the unnecessary loop through all sessions:

class AjaxTimeoutFilters {

   int sessionTimeout = 30 * 60 * 1000
   private static final String TIMEOUT_KEY = 'TIMEOUT_KEY'

   def filters = {
      all(controller:'*', action:'*') {
         before = {
            if (request.xhr) {
               Long lastAccess = session[TIMEOUT_KEY]
               if (lastAccess == null) {
                  // TODO
                  return false
               }
               if (System.currentTimeMillis() - lastAccess > sessionTimeout) {
                  session.invalidate()
                  // TODO - render response to trigger client redirect
                  return false
               }
            }
            else {
               session[TIMEOUT_KEY] = System.currentTimeMillis()
            }

            true
         }
      }
   }
}

会话超时应该依赖注入或以其他方式与 web.xml 中的值保持同步.

The session timeout should be dependency-injected or otherwise kept in sync with the value in web.xml.

还有两个问题.一种情况是有 Ajax 请求但没有先前的非 Ajax 请求(lastAccess == null).另一个是如何将浏览器重定向到登录页面或在没有非 Ajax 活动 30 分钟后有 Ajax 请求时您需要去的任何地方.您必须呈现 JSON 或其他一些客户端会检查的响应，以了解它已超时并执行客户端重定向.

There are two remaining issues. One is the case where there's an Ajax request but no previous non-Ajax request (lastAccess == null). The other is how to redirect the browser to a login page or wherever you need to go when there's an Ajax request after 30 minutes of no non-Ajax activity. You'd have to render JSON or some other response that the client would check to know that it's been timed out and do a client-side redirect.

这篇关于如何在不重置 tomcat 的会话超时的情况下执行经过身份验证的 AJAX 请求?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！