Session management question


I have a following problem: User enters the url of a toolkit application. Application returns a login screen. User leaves the login screen open so long that session timeout is called and thus toolkit Application removed from the session. Now, the user tries to log in, but gets a notification that session has ended.

In my opinion, user shouldn’t get this kind of a notification, but should be able to log in like before. It is irrelevant for the user that the session that was used for storing the login UI stuff was killed due to a timeout.

Does anyone have good ideas on how to solve this? There must have been issues like this somewhere else…



Recovering from a session timeout without having to reload the client side may be difficult to do properly, because of the radical state change of the application. In a login screen it might be possible to some extent, but generally it may be impossible. As there is no real difference between a “login screen” and the other application, there may not be any good solution. Also, if the application has been updated, the client-side widgetset itself may have changed.

But, I think that you can make the login screen a regular HTML page, pass the username and password as POST parameters, and handle them with a parameter handler to log in. I’ll have to try if this works ok.

I have used “standard” application server managed security realms and external HTML login page to protect the application URI. Session timeout redirect the user to this page and successful login redirects to actual application URI.

Works well, but if you have custom user database (as I did) you will have to implement a login module for the application server.

BR, Sami