How to handle Form-Based Authentication login (j_security_check) after session-timeout

3
votes

a question regarding the handling of login to a web/application server (WildFly 9.0.2) after a session-timeout.

Scenario:

I have a simple Web Application with a login page using Form-Based Authentication (action: j_security_check) and container managed login.

This works as expected:

  1. Login works as follows:
  2. Invoking in Browser the URL localhost:8080/SecurityWeb/
  3. Then the login page is shown in Browser.
  4. Then login to web application before the session timeout occurs.
  5. Then after login I see the expected URL: localhost:8080/SecurityWeb/index.jsp

This works NOT as expected:

  1. Login works as follows:
  2. Invoking in Browser the URL localhost:8080/SecurityWeb/
  3. Then the login page is shown in Browser.
  4. Waiting until the session-timeout occurs.
  5. Then login to web application.
  6. Then after login I see the NOT expected URL: localhost:8080/SecurityWeb/j_security_check

Questions: What has to be done to solve the problem?

snip from web.xml :


<display-name>SecurityWeb</display-name>

<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<security-constraint>

    <web-resource-collection>
<web-resource-name>All</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>

<auth-constraint>
    <description>...</description>
    <role-name>administrator</role-name>
    <role-name>customer</role-name>
    </auth-constraint>

 </security-constraint>

<login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
    <form-login-page>/login.jsp</form-login-page>
    <form-error-page>/error.jsp</form-error-page>
    </form-login-config>
  </login-config>

  <security-role>
    <description>Admin</description>
    <role-name>administrator</role-name>
  </security-role>
  <security-role>
    <description>Customer</description>
    <role-name>customer</role-name>
  </security-role>

<session-config>
<session-timeout>1</session-timeout>
</session-config>

+-------------------------------------------------+

snip from login.jsp :

<form method="post" ACTION="j_security_check">
id: <input type="text" name="j_username" /> <br>
pw: <input type="password" name="j_password" /> <br>
<input type="submit" name="login" value="Login">
</form>

+-------------------------------------------------+

Farisola
1
session-timeoutj-security-check
Because the session-timeout destroys the session the application server did not know where to forward after login and shows me the empty page with url .../j_security_check. I am not sure how to handle this problem. I would prefer to show the user a "session has timed out page", but I have not just yet found a solution how to do this.Farisola
Did you find a solution for your problem? , i have same problem.Emad Aghayi
I am also facing the same issue, does anyone have solution for this ?Alpesh Jikadra

1 Answers

0
votes

I was looking at the wrong places for the solution, turns out all I had to do was add a Idle Monitor which is a primefaces component, find the equivalent in your framework. So what an idle monitor does is it counts down for a set interval when the application is inactive and the session times out then you can fire an event to refresh the current page which the user is on. This will solve the issue.

For more indepth solution please refer to this Automatically perform action in client side when the session expires