I’m using appfoundation for logging in users. I’ve created a static set to store users. When someone logs out, I remove the user. I don’t want a user to login twice (from another PC or browser). Everything works fine, but when session times out, there is no way I can remove the user from my static set. I’ve implemented Application’s close method, but if I try to logout user, it’s a nullpointerexception… I even tried implementing several of SessionHandler methods, but is always gives me nullpointerexception… user doesnt exists anymore, my only problem is, that its still int my static set, so I can’t log in again with that user, unless I restart the server.
Is there any way to logout user on sessiontimeout? Or at least get the username who got timed out? Or is there any other way to check is a user is already logged in?
Sorry if it’s been asked already, but google search couldn’t help, and I tried searching forums but I’ve got nothing, not even from “timeout” or “logout” which is strange, I’m pretty sure there should have been some hit for those words.
Anyone any suggestion? I’m still stuck on this. I just have to make sure that no one logs in with the same username at the same time. My idea works fine, except the fact that if session times out, then the user can never log in again unless I restart the server. When it gets to the close method in Application, all instance is already destroyed as far as I can get, so If I reference to anything, I get a nullpointer exception.
You should be able to get an event when the session times out. Now the tricky part is probably when you need to invalidate the user session. AppFoundation uses the
ThreadLocal-pattern , so you’ll need to know which application instance has timed out AND to be able to get the correct instance of the SessionHandler class from the ThreadLocal. Right now I don’t come up with how you could do that, you’ll just have try out yourself Please report back with your findings.
If someone is still looking for solution for this issue, there is what i managed to do so far.
As Kim Leppänen said you need to implement HttpSessionListener interface and handle session timeout in method sessionDestroyed
public void sessionDestroyed(HttpSessionEvent httpSessionEvent) {
String user = (String) httpSessionEvent.getSession().getAttribute("dra-user");
log.debug(String.format("Session destroyed for session: %s, user: %s", httpSessionEvent.getSession().getId(), user));
if (user != null) {
DRAConfigurationManagerFactory.getInstance().logout(user);
}
}
and you should put this attribute in the session somewhere in application initialization\start:
Thuse you will solve session timeout on server side. But do not forget that if you have some manual logout button, you should invalidate http session to force servlet to call sessionDestroyed method. For that, just override close method for your Application class:
@Override
public void close() {
((WebApplicationContext) getContext()).getHttpSession().invalidate();
super.close();
}
I’m still stuck on this. I just have to make sure that no one logs in with the same username at the same time. My idea works fine, except the fact that if session times out, then the user can never log in again unless I restart the server. When it gets to the close method in Application, all instance is already destroyed as far as I can get, so If I reference to anything, I get a nullpointer exception.