Home/ Questions/Q 6591975
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-25T17:29:40+00:00

I have a web app in which I have set the maximum inactivity time

  • 0

I have a web app in which I have set the maximum inactivity time to 10 min. This is just for testing purposes. Basically, if the session has timeout and I click on a link, the following window browser checks if the session is valid. This is also working fine. If this happens, I get a message saying “session has expired, please login again”. But the orginal window stays open and if I click on the same link, then this time is letting me see the page, even though I have not logged in again. Why is this?

I am using the session.invalidate() if the session is expired, to make sure all attributes are removed, but this is not working somehow.

I using the following part of the code at the beginning of the page:

if(request.isRequestedSessionIdValid() == false)
{
     response.sendRedirect("expired.jsp");
     session.invalidate();
     return;
}

This is working the first time this page is loaded, but if I click on the link again to load it once more, this condition is not met, despite the session being timeout.

Could you please give any advice?

Update: My webapp works the following way:

User gets to the index.jsp page and uses an ID and password to access the system, then there is a BRMspace.jsp page where there is a folder structure for the user to access depending on the documents they are after. By clicking on each folder, a table with a database populated is displayed for the user to download the documents they want.

The issue I am having is that after 10 min of inactivity, if the user clicks on one folder on the initial screen, the database is not displayed, instead I get a message saying that session has expired and I am redirected to the login page, which is ideal. However, if I click on the same folder again, this time I get the usual table with the data and all documents. It seems that after one click, the inactivity time is not longer valid…. so I am not sure how to do… I am using session.invalidate() to delete all data about the session, but obvioulsy is not working.

I need the user to be redirected to login page again after the inactivity time no matter where the user clicks on.

This is an update:

Hi there, I have to re-take this question, which has been very helpful to resolve 90% of my original issue, but I still have one left…. on my web application, when user logins, they have a list of options to click on, each click takes them to a new tab which are different .jsp files… if session has expired, these tabs show the expired.jsp file, which is perfect… however, the original tab, the one that is shown after the user logins, stays live, I mean, it does not show that the session has expired… what can I do in this case?…

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    A web session doesn’t have anything to do with any login or access credentials. It simply means that the container has data saved for you that can be retrieved if you pass in the correct session token (either by cookie or request parameter). If you have been inactive on the site for a period of time (in your case 10 minutes), that data is discarded and if you check for a sessions validity, you will discover whether the data is still around or has been discarded. If the session has expired, the container will automatically create a new session for you to handle future requests. And if another request is sent to the server before the timeout expires, that requested session will not be invalid.

    If you are trying to prevent people from access a page when they have not logged in, you actually need to put some value into the session that says they have authenticated, and check that value. Just checking whether their requested session is valid is not sufficient.

    • 0