1) Specify default session timeout interval in web.xml
2) Execute request.getSession.invalidate() when user clicks logout button
3) Start a Javascript timer so that user can be alerted about session being going to expire and he should save his work before session actually expires
4) Capture browser window/tab closing javascript event so that session can be invalidated before user closes the application window/tab and opens a new browser window/tab to access the web application.
5) Maintain a list of users who are currently logged in either by storing a list in database and updating it as and when users log in or logout OR Maintain a Hashmap in application context and update it with user info of currently logged in users. The DB and HashMap can be updated by using Session Binding Listener API provided by JEE.
6) Use proper session handling mechanism by always encoding URL so that jsessionid can be used when cookies are disabled by a browser
7) Whenever user clicks a link, always check if his session is valid by using isValid function and if the session is invalid or expired, forward him to login/index page rather than processing his request.
8) If the session has expired then immediately forward the user to login page instead of showing him current page
9) If you are using AJAX calls then whole page refresh may not happen in your application but make sure that session is valid if Ajax calls are being sent.
10) Choose a proper default session timeout depending upon the kind of application. A banking application will have session timeout of the order of 2 minutes and internal portal should have session timeout of the order of 15 minutes
No comments:
Post a Comment