I have a method in my BaseAction called "boolean checkAuth(request)". then
in every Action I write I code this at the top
// Check if session is active, if not redirect to login page
if( !checkAuth( request )){
log.info("*** Session has timed out ***");
errors.add( ActionErrors.GLOBAL_ERROR, new ActionError("
error.expired.session") );
saveErrors(request, errors);
return (mapping.findForward(ApplicationConstants.APP_FORWARD_INVALID_SESSION));
}
seems to work fine.
On 5/12/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>
> Although this approach might work, I don't like it so much. The reasons:
>
> 1) Maintainability: if you want to change the timeout to 30 minutes (and
> you have 50 jsp pages), then you have to make the change 50 times.
>
> 2) Business Logic: This approach will never prevent you Action from
> executing. Since you have to go through an action to reach the jsp page,
> when the *page* reloads, you are actually reloading the action first.
> Having said that, if your action does something that should only be
> executed if your session has not expired, your approach will not work.
>
> A combination of using a filter & session-config (in web.xml) solves both
> problems above. How?
>
> 1) You only have to change the session timeout setting in one place.
>
> 2) Your filter is executed before anything else. Hence, you never have to
> worry about an action being executed unintentionally.
>
> Aladin
>
>
> > That's easy, just drop this in all of your JSPs (preferrably via an
> > include
> > or let a filter do it for you).
> >
> > (assuming your session timeout is 20 minutes)
> >
> > <meta http-equiv="refresh" content="1200;/">
> >
> > You should be handling invalid/expired session state in your application
> > and
> > by using the above technique, it will work universally, whether you are
> > managing sessions from your actions, CMS, or some other service outside
> of
> > the conatiner, such as a product like SiteMinder by Netegrity.
> >
> > This will _force_ the browser to do a refresh of the page after 1200
> > seconds
> > (20 minutes), which will allow your app to handle the request (from a
> now
> > expired session) the same as it would if the user had initiated the
> > request
> > giving a hint of being on a rich client where such events are easily
> > handled.
> >
> >
> >
> >
> > --
> > James Mitchell
> > Software Engineer / Open Source Evangelist
> > Consulting / Mentoring / Freelance
> > EdgeTech, Inc.
> > http://www.edgetechservices.net/
> > 678.910.8017
> > AIM: jmitchtx
> > Yahoo: jmitchtx
> > MSN: [EMAIL PROTECTED]
> >
> >
> >
> >
> > ----- Original Message -----
> > From: "Adam Lipscombe" <[EMAIL PROTECTED]>
> > To: "'Struts Users Mailing List'" <user@struts.apache.org>
> > Sent: Thursday, May 12, 2005 6:19 AM
> > Subject: Best practice for redirecting on session timeout?
> >
> >
> >> Folks,
> >>
> >>
> >> I there a standard way of handling session timeouts. If a user has been
> >> inactive for longer than N minutes I want to redirect them to the login
> >> page.
> >>
> >> It occurs to me that this could be done in a) the RequestProcessor or
> b)
> >> in
> >> an JSP include.
> >>
> >>
> >> Is there another way?
> >> What is best practice?
> >>
> >>
> >> TIA - Adam
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: [EMAIL PROTECTED]
> >> For additional commands, e-mail: [EMAIL PROTECTED]
> >>
> >>
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
--
-Dave
[EMAIL PROTECTED]
