To continue with the invisible widgets series, it’s time for the SessionGuard.

The idea of this component is to handle the Vaadin sessions. The main function of this component is to announce to the application user, that her session is about to end, to give her a chance to react before the session invalidates. This component also makes sure that, when the session has ended, the Vaadin message will be presented proactively, and not when the user tries to do something.

The SessionGuard may also be used to keep the session artificially alive. Since this implementation is on the client side, the session never dies while the browser is open, but may die once the browser session is ended by the user. This allows for short session times in your web.xml, if you want that kind of thing.

The sources, along with a Vaadin add-on jar, may be found at
An example
on its usage is also available. That example runs at
, which you are welcome to give a go.

As usual, licensed under Apache 2.0

Thanks for this Henrik - this solves a problem I’m bound to have in a couple of month’s time after I’ve got the rest of my UI sorted =)

Yet another great addon widget !
Thanks, Paul !

It’s great to hear, guys! please do tell me your experiences/problems if you start using this.

Although the current version is 0.0.3, I think I have to promote it to 1.0.0 stable pretty soon, since I don’t have many ideas of improvement. I might implement a maximum keepalive-time, but we’ll see about that.

One idea which comes to me - when a “session about expire” message appears, probably, its another variant would be useful - a notification or a dialog with some text and and 2 buttons - “close” and “continue”, so this will act like this:


“Your session is about expire, click “continue” to stay on site or “close” to exit”.


So, “continue” button will reset the inactivity times and close the notification and the “close” button will also terminate the application.

I actually thought about that a bit.

The reason I chose this method (and probably will stick with) is the probability of “being there to care”. Let’s assume that the session length is 60 minutes, and the warning period is 10 minutes; the probability of the person being away for 50 minutes, and coming back during the last 10 minutes’ time frame are somewhat slim, as the odds decrease as time passes. Even if the person gets back within that window, if he cares enough, he’ll probably just continue working and close the notification. Otherwise he’ll just ignore the window, and the session is allowed to time out. As you probably know, this is what the component does now.

I don’t believe someone would care enough to open the window, close the warning by choosing “continue”, just to let the session expire. If the the user needed some information right from behind the notification or something, the notification still can be closed. Okay, so the session timer gets reset, but that’s no biggie since it’ll run out again in an hour-or-so.

I’ve not used it yet, so perhaps it works this way already, but some sites will have short session timeouts, say 10-15 minutes, so that users are either active and working or they are terminated. This is often the case for systems containing sensitive info where 60 minutes is way to long to allow an app to be exposed while someone is away.

When the session is about to expire, if the user could continue/quit, it might be nice to have a “logout event” sent to the server so that it could do whatever processing normally occurs on logout, which often includes changing the page so that the data visible is cleared and a login page is displayed. Again, this helps keep the page secure when the session ends, since now the data stays on the screen and it’s only when someone tries to click does the session expired message appear and they are directed to the logout page.

When session ends (by a timeout or by explicit end by a app event - button “close” or signal from session guard) Vaadin application terminates and it’s close() method called, so any resources could be freed there. Also, when application closes, browser is forced to navigate to a “logout url”, so sensitive screen data will be removed in such case, I think

Good points. Created a ticket for including this functionality directly to Vaadin. Please comment at

I wonder. Could this component be modified to act as a sort of screen saver? I’d like to give my application a short timeout and hold the session open using SessionGuard. But it’d be neat if after, say, 10 mins of inactivity I could prompt the user for their password while holding the session open.

I guess this change is a little deeper, though. I’d need to deal with the case where the user just hits refresh and I don’t know how I’d do that just yet.

Fredrik has already done a screensaver add-on, which I imagine should work well with the SessionGuard (can’t see why not, but haven’t tested). I don’t think his screensaver has a password functionality just yet, but I guess it might make a nice feature for it!

Check out the forum thread at

Good idea. Added to

I used netbeans to run SessionGuard with this tree below.

but a had this error :

This application has a 3-minute session, with a timeout warning of 2 minutes session time left.
Widgetset does not contain implementation for com.github.wolfie.sessionguard.SessionGuard. Check its @ClientWidget mapping, widgetsets GWT module descrioption file and re-compile your widgetset. Unrendered UIDL:
com.github.wolfie.sessionguard.SessionGuard(NO CLIENT IMPLEMENTATION FOUND)

you have an idea about it and how do I fix it.
thank you

it seems you haven’t recompiled your widgetset. Since you are using NetBeans, I’m not much of help there since I work only in Eclipse, and the Vaadin plugin for Eclipse does all that for me. I’m not sure whether
the NetBeans plugin
does that. But, as far as I know,
the Vaadin release
has an Ant build script (should be at WebContent/docs/example-source/build-widgetset.xml) that can rebuild your widgetset.

Hopefully that will of some help

Can’t access to source plug-in:

You need to elaborate a bit more than that.

That’s a website to look at the source code. The JAR file is in the root of the project, which you can download by first clicking the file name, and then clicking the “view raw”-link. The Jar file can compiled into your widgetset the easiest if you use Eclipse and Vaadin’s
Eclipse plugin
by adding the JAR into your WebContent/WEB-INF/lib/ -directory.

The project itself is a Git project that you can clone from the address git://

Thanks a lot. I installed the GIT plug-in on eclipse. I have the source code now. I’ll try now to implement the SessionGuard in my project. By the way what are the future plans for SessionGuard plug-in ?

I think once I get around implementing a maximum keepalive period in a sensible way, I think I’ll call it 1.0.0, stable and done. There’s not much you can do with the session without going out of bounds of the component’s responsibilities. Besides, as mentioned earlier, these features are being planned to be an integral part of Vaadin. There’s not much use to plan a an extensive future, apart from the occasional bug fix, for this component.


I’m very interested in SessionGuard benefits. So I got the code from these locations.

I implemented SessionGuard as described in the example (within

SessionGuard sessionGuard = new SessionGuard();

But when I startet the application I got these error messages:

javax.servlet.ServletException: java.lang.UnsupportedClassVersionError: (com/github/wolfie/sessionguard/SessionGuard) bad major version at offset=6 (unable to load class com.github.wolfie.sessionguard.SessionGuard)


java.lang.UnsupportedClassVersionError: (com/github/wolfie/sessionguard/SessionGuard) bad major version at offset=6 (unable to load class com.github.wolfie.sessionguard.SessionGuard)

Any ideas what went wrong?

Thanks, Thorsten

Eclipse 3.5.1 • Vaadin 6.2.2 • Vaadin Eclipse Integration 1.2.0
Windows 2000 • IE7 • Tomcat 6.0

I’m not completely sure what that indicates. If you’re using the provided JAR, it sounds like my SessionGuard is compiled with an incompatible version of Java, a version that doesn’t work with what you’re using now. It
be compiled for Java 1.5, but, admittedly, I might’ve been sloppy and mistakenly compiled it with Java 6.

Make sure that you’re using at least Sun’s (the vendor
matter) JDK 1.5. If that doesn’t work, try changing to Java 6, and see if that works better.

But, if you have downloaded the whole source, and compiled the widgetset yourself. Well, then I’m out of ideas, I’m afraid.