我如何执行身份验证的AJAX请求，无需重新设置Tomcat的会话超时？ [英] How do I execute an authenticated AJAX request without resetting the tomcat's session timeout?

问题描述

我有一个现有的Grails Web应用程序是在生产和有一个30分钟的会话超时。我们正在运行的Tomcat（的tcServer）。

I've got an existing Grails Web application that is in production and has a 30 minute session timeout. We are running Tomcat (tcServer).

当用户通过身份验证，并在某些网页上我想提出一些定期轮询AJAX请求到服务器不延长这个30分钟的会议超时 - 让我们的会话超时未受阻

When a user is authenticated and on certain pages I want to make some periodic polling ajax requests to the server that do not extend this 30 minute session timeout - so that our session timeout isn't thwarted.

现在的问题是类似<一个href="http://stackoverflow.com/questions/3259041/how-do-i-use-ajax-to-get-info-from-server-without-resetting-the-session-timeout">this未asp.net问题，但没有一个答案会做，这在Java / Tomcat的境界。

The question is similar to this unanswered asp.net question, but none of the answers there will do and this in the Java/Tomcat realm.

我如何执行身份验证的AJAX请求，无需重新设置Tomcat的会话超时？

How do I execute an authenticated AJAX request without resetting the tomcat's session timeout?

有某种过滤或URL匹配机制，我可以用它来从延长会话超时排除请求？

Is there some sort of filter or url-matching mechanism that I can use to exclude requests from extending the session timeout?

推荐答案

我会用Grails的过滤器，做类似什么的，梅勒是通过所有会议提议没有不必要的循环的东西去

I'd go with a Grails filter that does something similar to what The-MeLLeR is proposing without the unnecessary loop through all sessions:

class AjaxTimeoutFilters {

   int sessionTimeout = 30 * 60 * 1000
   private static final String TIMEOUT_KEY = 'TIMEOUT_KEY'

   def filters = {
      all(controller:'*', action:'*') {
         before = {
            if (request.xhr) {
               Long lastAccess = session[TIMEOUT_KEY]
               if (lastAccess == null) {
                  // TODO
                  return false
               }
               if (System.currentTimeMillis() - lastAccess > sessionTimeout) {
                  session.invalidate()
                  // TODO - render response to trigger client redirect
                  return false
               }
            }
            else {
               session[TIMEOUT_KEY] = System.currentTimeMillis()
            }

            true
         }
      }
   }
}

会话超时应依赖注入或以其他方式保持同步，在web.xml中的价值。

The session timeout should be dependency-injected or otherwise kept in sync with the value in web.xml.

有两个剩余问题。一个这样的情形，有一个Ajax请求，但没有previous非Ajax请求（lastAccess == NULL）。另一种是如何将浏览器重定向到一个登录页面或者你需要的地方去的时候有没有非Ajax活动30分钟后，一个Ajax请求。你不得不渲染JSON或一些其他反应，客户端将检查要知道，它已经超时，做一个客户端的重定向。

There are two remaining issues. One is the case where there's an Ajax request but no previous non-Ajax request (lastAccess == null). The other is how to redirect the browser to a login page or wherever you need to go when there's an Ajax request after 30 minutes of no non-Ajax activity. You'd have to render JSON or some other response that the client would check to know that it's been timed out and do a client-side redirect.

这篇关于我如何执行身份验证的AJAX请求，无需重新设置Tomcat的会话超时？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！