To test this, I left a browser tab open for 3 days and put my computer to sleep. When I came back, I was still logged in, and the JSESSIONID was the same.
From my understanding, vaadin.closeIdleSessions=true closes idle Vaadin sessions and eventually, the HTTP session should be invalidated after 3 hours.
The reason I am asking is I noticed something concerning in our WAF logs.
An idle browser tab (or an inactive user) kept sending server push (long polling) requests. It sent about 25,000 requests within 20 minutes. I do not know what caused such a high request rate, but I would like to prevent situations like this by disconnecting or logging out idle users.
Is there a recommended way to automatically disconnect inactive sessions or stop heartbeats and server push after a period of inactivity?
what version are you using and do you see this problem on public pages or behind auth? Normally it should work and the client stops sending requests once it gets proper deny responses.
I’m using Vaadin version 24.9.14.
I think the issue happens in both cases. The public pages and the pages after login never seem to expire. They keep sending heartbeat requests, and the server push socket connection remains open.
From my understanding, closeIdleSessions destroys the Vaadin session, but not the HTTP session.
If the SystemMessages aren’t customized (for example, sessionExpiredURL is left as null), the default behavior is to reload the page. The heartbeats and the reload keeps extending the HTTP session, so the user is effectively never logged out.
To fix that, it seems I need to explicitly invalidate the HTTP session (and probably redirect the user to the login page) when the Vaadin session times out.
Thank you for your very helpful answer. That’s exactly what I needed to know.
If you don’t mind, I have one more question. My login page is itself a Vaadin application, so it sends heartbeats (but doesn’t use server push).
Once the HTTP session times out, would you recommend redirecting the user to a static HTML page, or displaying a “session expired” message? Or should I just leave it as it is since heartbeats don’t consume many resources?
I’m curious what the recommended practice is in this situation.