[
http://jira.jboss.com/jira/browse/JBSEAM-2257?page=comments#action_12394329 ]
Florian Fray commented on JBSEAM-2257:
--------------------------------------
Okay, I've understood you want to check whether the session-id sent is still valid or
not.
We've used this information (session created / session destroyed) differently, as we
wanted to keep track of the currently logged in users.
Basically we've used the events org.jboss.seam.postAuthenticate and
org.jboss.seam.loggedOut, but we also needed an event raised when the session expired,
i.e. due to inactivity.
The code described just shows you that an invalid session-id has been used, but you
won't really get the event at the time it expired, but with the next request (which
could be days after the session expired).
The nasty drawback is that if the user does not send a request to the application again,
you won't be able to recognize the session has expired.
IMHO this makes a huge difference. For our usecase it is crucial to get an event as soon
as the session expired, not after the next request.
What about a third event, so we'd have:
"org.jboss.seam.expiredSession" (or sessionExpired)
"org.jboss.seam.newSession"
"org.jboss.seam.destroyedSession"
Raise a session expired and new session event on occurence
----------------------------------------------------------
Key: JBSEAM-2257
URL:
http://jira.jboss.com/jira/browse/JBSEAM-2257
Project: JBoss Seam
Issue Type: Feature Request
Components: Security
Affects Versions: 2.0.0.GA
Reporter: Jacob Orshalick
Assigned To: Shane Bryzak
Priority: Minor
Fix For: 2.0.x
You have to make some assumptions here, but you can basically notify the user when the
server session has ended with the following in a PhaseListener:
Code:
@Observer("org.jboss.seam.beforePhase")
public void beforePhase(PhaseEvent event)
{
if(event.getPhaseId() == PhaseId.RESTORE_VIEW)
{
HttpServletRequest request =
(HttpServletRequest) FacesContext.getCurrentInstance()
.getExternalContext().getRequest();
if(request.getRequestedSessionId() != null
&& request.getSession().isNew())
Events.instance().raiseEvent("org.jboss.seam.sessionExpired");
...
Based on general cookie settings this will raise the event when the user still has the
browser window open, the http session expired, and the user tries to access the app. If
the user closes and reopens the browser to start the application, the event will not be
raised. This of course makes the assumption that cookies expire when the browser session
is ended (which is generally the case).
The org.jboss.seam.newSession event would simply change the condition to:
if(request.getRequestedSessionId() == null
&& request.getSession().isNew())
Events.instance().raiseEvent("org.jboss.seam.newSession");
This is generally useful for user notification on the login screen. Please see the forum
reference for more information. Thanks.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira