Get started
Loading...
Important Notice - Forums is archived

To simplify things and help our users to be more productive, we have archived the current forum and focus our efforts on helping developers on Stack Overflow. You can post new questions on Stack Overflow or join our Discord channel.

Product icon
TUTORIAL

Vaadin lets you build secure, UX-first PWAs entirely in Java.
Free ebook & tutorial.

Where to include a web components css file when integrating a third party w by Martin Vyšný, 1 week ago
Recent Posts
Vaadin Forum3. Vaadin 6, 7, 8

Vaadin 7 session timeout

joe changamire
6 years ago Feb 03, 2016 1:08am

Hi,

I need to implement session timeout within my application but this is proving much harder than it should be in Vaadin 7 - I see many discussions on the topic but no clear solution.

My requirements:
Specify session timeout in web.xml and have HTTP sessions invalidated after this timeout period has passed with no user activity.

My setup:
Vaadin 7.6.0

Vaadin configured as follows:

- Push NOT enabled
- Session timeout set to 1 minute
- Heartbeat set to 5 seconds
- closeIdleSessions set to true

    <session-config>
        <session-timeout>1</session-timeout>
    </session-config>
    <listener>
        <listener-class>com.gb.SessionListener</listener-class>
    </listener>
    <servlet>
        <servlet-name>Vaadin Application Servlet</servlet-name>
        <servlet-class>com.vaadin.server.VaadinServlet</servlet-class>
        <init-param>
            <description>Vaadin UI to display</description>
            <param-name>UI</param-name>
            <param-value>com.gb.TestUI</param-value>
        </init-param>
        <init-param>
            <description>Application widgetset</description>
            <param-name>widgetset</param-name>
            <param-value>com.gb.AppWidgetSet</param-value>
        </init-param>
                <init-param>
            <param-name>heartbeatInterval</param-name>
            <param-value>5</param-value>
        </init-param>
        <init-param>
            <param-name>closeIdleSessions</param-name>
            <param-value>true</param-value>
        </init-param>
    </servlet>

What I observe with this setup:-

After 1 minute of no user activity, the Vaadin Session Expired notification pops up. That is great, that is what I want. However, the HTTP session is not invalidated until another minute (session timeout) has passed AFTER that notification. So although the user is notified their session has expired, the HTTP session is not invalidated until another minute has passed. That is bad, as the session, including authentication information etc. remains active.

Its almost like the heartbeat requests are keeping the HTTP session alive. Its only after they stop coming (after the first minute when Vaadin says the session is expired) that the HTTP session appears to begin the timeout period. This is bad because although the user has received a session timeout message, there is still an active HTTP session. I thought the closeIdleSessions parameter should prevent heartbeat requests being counted towards the HTTP session being kept alive?

I know theres a few workarounds by setting system messages etc., but they all feel wrong.

Am I missing something here?

Thanks in advance.