For communications errors, session timeouts, etc., we have set up Vaadin (we are on 7.3.10) to redirect to a logoff page, which itself may redirect after 5 seconds to a login page (it only redirects automatically on a normal logoff, not an error logoff like these).
What we’ve noted is that if the session times out, but the session timeout red box has not occurred yet, if you click on a button or the like it generates a Communication problem red box – rather than the session timeout.
This wouldn’t be so bad, but it often will embed our non-Vaadin login (we have a non-Vaadin login.jsp page) into the error message. By having our login form, it’s more confusing because it appears they can login right there.
The login page is a default page per the web.xml so users who just type in the site’s base URL will get the login page:
login.jsp
How is it that my non-Vaadin login.jsp page gets mixed into the Vaadin page?
Looks like it’s related to my code that redirects to the login page for requests that ‘start’ when the user is not logged in. I guess the redirect is fetched and somehow shown along with the communications exception. Now I only redirect for GET requests since Vaadin itself will show its session expired error if the heartbeat or whatever comes in after the session has expired.
Did Help and works, but not so happy with the solution to only redirect GET. Whats whit all the other Types like POST, DELETE, UPDATE and so on?
Also opened the same Question in the UI-Section:
https://vaadin.com/forum#!/thread/9349419/9354606
You can also embed the literal string
Vaadin-Refresh
somewhere in your login page (for instance, inside a HTML comment) to make Vaadin realize it should refresh the whole page. You can also say eg.
Vaadin-Refresh: http://example.com/login[font=arial]
if you want to redirect to another URL.
I added a comment under that other posting. It all seems to work okay for us. We want the auto-redirect not for security reasons, but for user convenience. If they attempt to access the URL for the vaadin app (/ui in our case, while login is at /) via a bookmark, refresh or the like, that GET request will redirect them to the login page if they are not logged in.
If they trick the browser into sending another POST instead, Vaadin correctly displays the red alert box for lack of a session on the UIDL POSTs, and if they trick it with a brand new session request that comes in via a POST, we end up displaying an empty vaadin app page with a logoff button as we cannot build the vaadin app page without knowing who they are.
This is interesting. I’ll have to see what it means. What does Vaadin do when it sees that comment and why can’t that also just be done programmatically? In fact, we already set the URL for communications errors and session expired, along with the various other scenarios supported, by configuring system messages. What was surprising is that I could include a custom error in the red box by returning an URL redirect to a POST UIDL request (is this a feature or bug?).
For us, our login page is a JSP, not part of Vaadin (same as our logoff page), which we did because Vaadin requires a session, and we don’t want a session to needed until a successful login and have it ended on a logoff.
