Announcement Announcement Module
No announcement yet.
Unable to login again after automatic session time out Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Unable to login again after automatic session time out

    We have an application that times out after 15 minutes. What happens is that sometimes, after the user is automatically logged out after 15 min of inactivity, he is unable to login again until he clears his cache. If doesn't clear the cache and tries to login, error 'Session is Invalid' is thrown.

    This is the session Expiration configuration in security.xml

      <bean id="mySessionExpirationFilter" class="security.SessionExpirationFilter">
            <security:custom-filter position="LAST"/>
            <property name="expiredUrl" value="/login.htm?login_error=2"/>
    The code for the session expiry checking filter is

            httpResponse.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
            httpResponse.setHeader("Pragma", "no-cache"); // HTTP 1.0.
            httpResponse.setDateHeader("Expires", 0);
            String path = httpRequest.getServletPath();
            logger.debug("in expiry filter gifteasy path " + path);
            if (path.indexOf("login") < 0 && path.indexOf("logout") < 0 && path.indexOf("OnlineRegistration") < 0 &&    path.indexOf("Cardactivation") < 0 && path.indexOf("redirect") < 0 && path.indexOf("index") < 0) {
                HttpSession session = httpRequest.getSession(false);
      "session in SessionExpirationFilter "+session);
      "getRequestedSessionId "+httpRequest.getRequestedSessionId());            
      "isRequestedSessionIdValid "+httpRequest.isRequestedSessionIdValid());
                    if (session == null &&
                    httpRequest.getRequestedSessionId() != null &&
                    !httpRequest.isRequestedSessionIdValid()) {            
                    String targetUrl = httpRequest.getContextPath() + expiredUrl;
          "invalid seesion for URL "+path);
          "redirecting to " + targetUrl);
    The redirection gets triggered correctly after 15 min of activity. Since we are logging out the user as the Session is null, I don't understand why should he get the invalid session error when he tries to log in again. Since this error doesn't occur always (if we try the same for 4-5 times, it comes once), am not sure where/what exactly is the problem.

    Any pointers on this would be greatly appreciated.