I’m having some trouble implementing session’s timeouts in a vaadin application.
The goal is to have a vaadin session (i.e. our vaadin application) expire after a given time (for security purpose).
Currently using vaadin 7.3.8, the application is running in tomcat catalina 7.0.55.
If it matters, I’m using Chrome v.39 to test the application. Push mode and websockets.
I’m setting the session timeout in the following way:
In VaadinServlet, overwrote sessionInit() and programmatically set the wrapped session ‘timeout’ with setMaxInactiveInterval().
I am seeing the following issues:
even though I set the MaxInactiveInterval to 60 seconds, the session usually expire anywhere between 1 and 3 minutes (not very predictable). In this case, it is tomcat triggering the timeout.
if I navigate to a page with vaadin components, and then interact with the components, the user activity does not seem to have any effect on the session expiration. For instance, if the user opens a vaadin dialog, clicks on vaadin buttons… (client - server requests) the session can expire while the user is in the middle of doing things. It is as if the vaadin communications has no bearing on the session’s activity.
I verified the latter by overriding setLastRequestTimestamp() in VaadinSession and I can see the timestamp being set a few milliseconds before the session expires.
Is that the expected behavior?
Could anyone recommend a more reliable way to manage session timeouts?
It sounds like your setting the timeout in a much more complicated way then it is meant to be in Vaadin.
Have a look at
https://vaadin.com/book/-/page/application.lifecycle.html especially the Chapters 4.7.5 and the ones after it. In Vaadin you can set the Timeout in the web.xml/Servlet annotations without having to overwrite servlet functions. I can remember there being a problem a while ago with sessions not timing out because of push being enabled. Not sure if this is still the case though.
Using the Vaadin Heartbeat you can more accurately timeout sessions when the Browser window/tab is closed.
I understand that timeouts and idle sessions can be configured more easily. In my case, I am trying to be more flexible and change the parameters on the fly.
Per the documentation, this seems like a valid option.
Also, the goal I am trying to achieve is to automatically expire sessions where the user is inactive. The heartbeat seems to be used in the case where vaadin does not get any event that the Browser window/tab is closed.
I tried my original scenario but this time I modified in web.xml instead of changing maxInactiveInterval in the code. I see the same problem: the session expires while I interact with vaadin components.
Actually no, didn’t really spent too much time on this issue after this post.
We might take another look at it when we switch to vaadin 7.6 and go to the latest Tomcat.