How to infinite session?


I am not sure this is a trivial question, but since I could not find it properly in the Book of Vaadin, then probably I would like to ask that one.

In the Liferay, when user has infinite automatic login, every time he/she refreshes the screen being in private area, things stays as always, i.e. no sudden login screen etc. But unfortunately, if there is a Vaadin app that holds a session and user is trying
to continue
use it after some pause, then they see
that says “Communication Error”. As a result, it renders to be converted from English to a random swearwords, that are later broadcasted in a loud audiostream to a girl’s ear over a phone line, sitting in a call center. :slight_smile:

But in the reality, all what users have to do is just to refresh the page and things are fubar. But users don’t want to refresh just like this, since Vaadin is so sweet and can
remember the state
. Users thinks that Vaadin magically can remember the form data until forever, every time they open the web browser.

So my question is: While it is not needed to remember the state forever, still maybe it is there any way to make that “Communication Error” to be turned to “Communication Success”, once user is back from his/her lunch and continue to use the same app where they stopped at? :glare: Even so the data is flushed to the default (reset or empty) — this is fine. But please how to remove nag-screen after 1 hour of pause? This problem does not exists with SmartGWT library for all the users, so I would like to have the same behavior in Vaadin too.

Any ideas?

An by the way, increasing timeout to 1 year probably might help for a while, but it is still a possibility to get nagscreen in your face again. :slight_smile: So actually my point is that it would be dramatically great if Vaadin could just renew its session silently behind the scenes, instead just crash…


One solution:

(you are correct - defaults are not good - in Vaadin 7 I would prefer to default to sessions that are never invalidated while the user still has Vaadin application open in their web browser window)

Thank you very much. But one little (and very silly) question then: why not include this sessionguard thing in the right next Vaadin release instead?.. Add-on is for
things, but this one is definitely
must have

I bet something like this is definitely coming to Vaadin 7, since one of the core dev team member is already experimenting with possibilities, see the
SmartSessions add-on

100% agreed. Session handling and those red error messages will be revised in Vaadin 7. The current defaults are not good.

If there is a good way to detect user-initiated versus keep-alive traffic, it would be nice to allow a session to end after a configured amount of time since the last user-initiated traffic so that the application can shut itself down for that user. For those apps that have logins with sensitive info (including PCI compliance, HIPAA, financial, most business data apps, etc.), it is important that a user login session (and vaadin application) end and the screen be cleared if the user stops working without having logged off. At least as an option…

So how does this differ from not having keep-alive traffic but only increasing session timeout?

Session cleaning would be faster if keep-alive messages stop coming for a while, which might help if there are many big sessions, but otherwise keep-alive should not be necessary in these cases.

For me, it’s less about keeping the session alive than wanting a refresher/push/websockets solution that allows a connection to stay active, updating the display based on changes on the data model, but not having all that communications affect the “session activity” state. So if the user is not doing anything, the session still ends despite the auto refresh updates, and ends securely so that the user’s screen is cleared (in our case, sent to a logoff page).

As it is now, the session ends, but the client doesn’t know until the next user action, which means any sensitive data is still visible.

I believe it is better when client says “I am alive!” instead when server responds “No, you’de very dead, no matter what you say”.

directly without using any plug-in may change the session time
or am I forced to use the guard to change the session time and session


This is exactly what I tried to accomplish with SmartSessions add-on. For push support I need to make it work with DontPush or implement a built in polling (which does not keep session alive). There is also need for at least three different modes for session timeout. For non critical (security wise) apps the current is probably ok. Banking solutions and similar need the screen either to be cleared or the browser to be forwarded to another page.

Can’t promise to work on this field, my sick leave has just ended :frowning:



I’m not sure if I quite understood your question, but I guess you want to know how to modify session timeout in Vaadin. It is like in other standard java web apps, try googling with terms: session timeout java web applications.



The issue is that Vaadin-based portlet is living its own life and kills itself much faster than entire session within a portlet container (Liferay in this case). And a portlet container has no timeout at all: session can stay forever (browser reopen restores it back), until you completely logout.

Basically what Vaadin app needs to do is just refresh itself in the background, instead of alerting with red nagscreen “Communication Error”.

Need a ticket? :slight_smile:

Doesn’t the Refresher add on do that?

You mean, by a hammering the server per each N period?