navigate automatically to logoutUrl on session timeout


i’m trying to figure out how to redirect the browser back to the login page on a session timeout. more generally, on a session timeout, communication error, internal error, or out of sync error, i’d like to navigate to spring’s /j_spring_security_logout handler, which will take the user back to the login screen.

i’m using vaadin 6.7.8 with jboss 7.0.2. i’m also using spring security.

in my application class, i have the following constants

private static final String LOGOUT_URL = "/j_spring_security_logout";
private static final String APP_CONTEXT_PATH = "/app";
private static final String FULL_LOGOUT_URL = APP_CONTEXT_PATH + LOGOUT_URL;

in my application’s init() method, i have

	String appContextPath = ((WebApplicationContext)getContext()).getHttpSession().getServletContext().getContextPath();
	setLogoutURL(appContextPath + LOGOUT_URL);	

in my application class, i’ve written the following getSystemMessages method

public static SystemMessages getSystemMessages() {
    CustomizedSystemMessages m = new CustomizedSystemMessages();
    m.setSessionExpiredURL(FULL_LOGOUT_URL );
    m.setCommunicationErrorURL(FULL_LOGOUT_URL );
    m.setInternalErrorURL(FULL_LOGOUT_URL );
    m.setOutOfSyncURL(FULL_LOGOUT_URL );
    return m;

and to help with debugging, i’ve overridden Application.close()

public void close() {

if i force a CommunicationError (e.g. i take down JBoss while a browser has loaded the app, then perform an action in the browser that requires server communication) i see the browser navigate as expected to the FULL_LOGOUT_URL .

i also have a ‘Sign Out’ button in my app, which when clicked calls getApplication().close(). as part of this processing, i see the client redirected to the logoutUrl (AbstractCommunicationManager.endApplication() makes this happen)…

on a session timeout, Application.close() is called, as i expect. but we never redirect the client to logoutUrl or FULL_LOGOUT_URL. AbstractCommunicationManager.endApplication() is not called. if the user attempts to use the application in a browser after the session has timed out (e.g. they click something that makes a backend call), we’ll get a CommunicationError, which will force the user back to the FULL_LOGOUT_URL . but i’d like the client to automatically be taken to FULL_LOGOUT_URL (or logoutUrl) on a session timeout, without manual interaction required.

is there a way to accomplish this?

ideally i’d like the client to ‘know’ it was a session timeout (and not any old CommunicationError) so that i can include a message like ‘Your session timed out’ on the login screen. but at least initially, if i can make the app navigate back to logoutUrl/FULL_LOGOUT_URL without the user having to click something, that’d be great.



Bump - Would also like an answer

Sessions and Session-timeouts are only happening on the server-side. But unfortunately the Server can’t start the communication, this must be done by the client. So therefore: There is no “clean” solution for this kind of stuff. A hack would involve communicating a session-timeout to the client, resetting this timeout every time some communication happened and after the timeout has been hit, you could redirect the client to your logout-url. Maybe there is even an addon for that.

Thanks for your reply.

Is there any way with Vaadin I could do something like the following:

  1. schedule a client side request to come in on a fixed interval, say once a minute, that:
    a) does not reset the session timeout BUT
    b) can be used to check if a particular session has timed out OR
    c) can be used to check if any session has timed out


If I could do that, I could redirect to the session timeout URL on the server side. i’d rather not maintain all the session timeout state (and knowledge of when we last talked to the server) on the client side if I can help it.



Sessions are managed by the Servlet-Container so I guess there is no way to formulate a request that does NOT reset the sessin-timer. I don’t see any way around maintaining session-information explicitly on the client. I know that is not a nice solution, but your requirements seem to be a little bit odd.

Funny timing – I recently posted a blog about maintaining session info in the server app (you’re correct of course that the container doesn’t distinguish between types of requests). I should post a separate thread in case it’s helpful to the general public, but
here is an example of manually tracking sessions when using the Refresher add-on

In the blog I make a distinction between the “real” app where the refresher runs, and a “login” kind of page that the container would timeout normally. It didn’t occur to me before this to use the refresher on a login page to avoid the session expired error messages. Seems so simple. :slight_smile: On a page like that, you could drop the refresh interval to every 25 minutes and forget about it. There’s still the burden on the server of keeping a session around, but you at least lose the security problem if you’re manually checking and invalidating the session while a user is logged in. (In other words, manually track sessions while the user is logged in, but use the refresher and don’t track on a login page.)


Liferay does a similar thing if you enable explicit session extension: the server communicates the session timeout value to the client, and the client shows a bar to the user some minutes before expiration with the option to extend the session by clicking a button. If the user does not react within a certain time, the session is explicitly closed by a special call from the client side code related to this. Automatic session extension in Liferay uses the same code but without a UI, implicitly clicking the “extend” button.

The latest versions of Vaadin also hook into this mechanism to automatically extend the session when the user interacts with the application in a way that communicates with the server.

EDIT clarified: Most public facing sites don’t seem to use explicit session extension with UI, though, as it is not as user friendly as some would like.


Sounds like the does not hold good for vaadin 7. Do you have any other option to track the time manually so i can show the user with a alert message well before session expiration also redirect the user to logon page on time?