How to log out idle users and stop Heartbeats/Server Push in Vaadin?

I have two questions:

  • Why doesn’t Vaadin automatically log out inactive users?
  • How can I log out a user or stop the client from sending any requests (e.g. heartbeats or server push) after being idle for a certain period?

I have configured the following:

server.servlet.session.timeout=3h
vaadin.closeIdleSessions=true

To test this, I left a browser tab open for 3 days and put my computer to sleep. When I came back, I was still logged in, and the JSESSIONID was the same.
From my understanding, vaadin.closeIdleSessions=true closes idle Vaadin sessions and eventually, the HTTP session should be invalidated after 3 hours.

The reason I am asking is I noticed something concerning in our WAF logs.
An idle browser tab (or an inactive user) kept sending server push (long polling) requests. It sent about 25,000 requests within 20 minutes. I do not know what caused such a high request rate, but I would like to prevent situations like this by disconnecting or logging out idle users.

Is there a recommended way to automatically disconnect inactive sessions or stop heartbeats and server push after a period of inactivity?

Thanks in advance.

what version are you using and do you see this problem on public pages or behind auth? Normally it should work and the client stops sending requests once it gets proper deny responses.

1 Like

Hi @knoobie ,

I’m using Vaadin version 24.9.14.
I think the issue happens in both cases. The public pages and the pages after login never seem to expire. They keep sending heartbeat requests, and the server push socket connection remains open.

Kinda reminds me of this No documented way to have @Push sessions expire and free resources. · Issue #19649 · vaadin/flow · GitHub

Typically it should work but there might be edge cases that needs additional examples to verify and e.g. fix those.

If you have influence on your infra - you could be able to stop this, see for example here by using the correct response code flow/flow-client/src/main/java/com/vaadin/client/communication/DefaultConnectionStateHandler.java at bb7a53c74c50cc88271bfb16579f8fcfec30a777 · vaadin/flow · GitHub

1 Like

I’ll check these out. Thanks!

From my understanding, closeIdleSessions destroys the Vaadin session, but not the HTTP session.
If the SystemMessages aren’t customized (for example, sessionExpiredURL is left as null), the default behavior is to reload the page. The heartbeats and the reload keeps extending the HTTP session, so the user is effectively never logged out.

To fix that, it seems I need to explicitly invalidate the HTTP session (and probably redirect the user to the login page) when the Vaadin session times out.

Correct, the HttpSession is not eagerly invalidated, you need to do it yourself in session destroy listener, i.e. something like this:

The exact code depends on Vaadin version and wiring of that event is a bit different when using Spring Boot.

2 Likes

Hi @Tatu2,

Thank you for your very helpful answer. That’s exactly what I needed to know.

If you don’t mind, I have one more question. My login page is itself a Vaadin application, so it sends heartbeats (but doesn’t use server push).
Once the HTTP session times out, would you recommend redirecting the user to a static HTML page, or displaying a “session expired” message? Or should I just leave it as it is since heartbeats don’t consume many resources?

I’m curious what the recommended practice is in this situation.

Definitely a static page imho - no requests are always better :) especially when your user base grows

1 Like