会话已过期 - 如何在浏览器的原始选项卡中终止会话
我有一个网络应用程序,其中我将最长不活动时间设置为 10 分钟。这仅用于测试目的。基本上,如果会话超时并且我单击链接,以下窗口浏览器将检查会话是否有效。这也运行良好。如果发生这种情况,我会收到一条消息,提示“会话已过期,请重新登录”。但是原始窗口保持打开状态,如果我单击同一链接,那么这次我可以看到该页面,即使我没有再次登录。这是为什么呢?
如果会话过期,我将使用 session.invalidate() 来确保所有属性都被删除,但这在某种程度上不起作用。
我在页面开头使用以下代码部分:
if(request.isRequestedSessionIdValid() == false)
{
response.sendRedirect("expired.jsp");
session.invalidate();
return;
}
这是第一次加载此页面时有效,但如果我再次单击链接再次加载它,则不满足此条件,尽管会话正在暂停。
您能给什么建议吗?
更新:我的Web应用程序按以下方式工作:
用户访问index.jsp页面并使用ID和密码访问系统,然后有一个BRMspace.jsp页面,其中有一个文件夹结构用户根据他们想要的文档来访问。通过单击每个文件夹,将显示一个填充了数据库的表格,供用户下载他们想要的文档。
我遇到的问题是,在 10 分钟不活动后,如果用户单击初始屏幕上的一个文件夹,则不会显示数据库,而是收到一条消息,指出会话已过期,并且我被重定向到登录页面,这是理想的。但是,如果我再次单击同一文件夹,这次我会得到包含数据和所有文档的常用表格。似乎单击一次后,不活动时间不再有效......所以我不知道该怎么做......我正在使用 session.invalidate() 删除有关该会话的所有数据会话,但显然不起作用。
无论用户单击何处,我都需要在不活动时间后将用户再次重定向到登录页面。
这是一个更新:
嗨,我必须重新提出这个问题,这对于解决我原来的问题的 90% 非常有帮助,但我仍然剩下一个......在我的网络应用程序上,当用户登录时,他们有一个可供单击的选项列表,每次单击都会将他们带到一个新选项卡,其中有不同的 .jsp 文件...如果会话已过期,这些选项卡会显示过期的 .jsp 文件,这是完美的...但是,原始选项卡,用户登录后显示的选项卡,保持活动状态,我的意思是,它并不显示会话已过期...在这种情况下我能做什么?...
I have a web app in which I have set the maximum inactivity time to 10 min. This is just for testing purposes. Basically, if the session has timeout and I click on a link, the following window browser checks if the session is valid. This is also working fine. If this happens, I get a message saying "session has expired, please login again". But the orginal window stays open and if I click on the same link, then this time is letting me see the page, even though I have not logged in again. Why is this?
I am using the session.invalidate() if the session is expired, to make sure all attributes are removed, but this is not working somehow.
I using the following part of the code at the beginning of the page:
if(request.isRequestedSessionIdValid() == false)
{
response.sendRedirect("expired.jsp");
session.invalidate();
return;
}
This is working the first time this page is loaded, but if I click on the link again to load it once more, this condition is not met, despite the session being timeout.
Could you please give any advice?
Update: My webapp works the following way:
User gets to the index.jsp page and uses an ID and password to access the system, then there is a BRMspace.jsp page where there is a folder structure for the user to access depending on the documents they are after. By clicking on each folder, a table with a database populated is displayed for the user to download the documents they want.
The issue I am having is that after 10 min of inactivity, if the user clicks on one folder on the initial screen, the database is not displayed, instead I get a message saying that session has expired and I am redirected to the login page, which is ideal. However, if I click on the same folder again, this time I get the usual table with the data and all documents. It seems that after one click, the inactivity time is not longer valid.... so I am not sure how to do... I am using session.invalidate() to delete all data about the session, but obvioulsy is not working.
I need the user to be redirected to login page again after the inactivity time no matter where the user clicks on.
This is an update:
Hi there, I have to re-take this question, which has been very helpful to resolve 90% of my original issue, but I still have one left.... on my web application, when user logins, they have a list of options to click on, each click takes them to a new tab which are different .jsp files... if session has expired, these tabs show the expired.jsp file, which is perfect... however, the original tab, the one that is shown after the user logins, stays live, I mean, it does not show that the session has expired... what can I do in this case?...
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
Web 会话与任何登录或访问凭据没有任何关系。它只是意味着容器已为您保存了数据,如果您传入正确的会话令牌(通过 cookie 或请求参数),则可以检索这些数据。如果您在网站上处于非活动状态一段时间(在您的情况下为 10 分钟),该数据将被丢弃,如果您检查会话有效性,您将发现数据是否仍然存在或已被丢弃。如果会话已过期,容器将自动创建一个新会话供您处理将来的请求。如果在超时到期之前向服务器发送另一个请求,则该请求的会话不会无效。
如果您试图阻止人们在未登录时访问页面,则实际上需要在会话中放入一些值以表明他们已通过身份验证,并检查该值。仅检查其请求的会话是否有效是不够的。
A web session doesn't have anything to do with any login or access credentials. It simply means that the container has data saved for you that can be retrieved if you pass in the correct session token (either by cookie or request parameter). If you have been inactive on the site for a period of time (in your case 10 minutes), that data is discarded and if you check for a sessions validity, you will discover whether the data is still around or has been discarded. If the session has expired, the container will automatically create a new session for you to handle future requests. And if another request is sent to the server before the timeout expires, that requested session will not be invalid.
If you are trying to prevent people from access a page when they have not logged in, you actually need to put some value into the session that says they have authenticated, and check that value. Just checking whether their requested session is valid is not sufficient.