Session Timeout and DAD Authentication

My application uses the authentication scheme 'No authentication (using DAD)'. The users log in from an external program and the user IDs are captured in the variable remote_user. My authorization scheme checks that the user ID exists in a database table. All this seems to work fine.
However, I need to implement a session timeout on the application. I've followed the steps described in the "Automatic Session Timeouts" utility in the Application Express Studio but when I tried to modify the authentication scheme by adding:
return auth_pkg.check_timeout;
to the Session Verify Function I got the following errors:
No functional attributes may be set when page sentry function is '-DATABASE-'.
and
Session verification function may not be specified if page sentry function is specified.
I'm new to Apex and I don't know where to go from here. Any advice please?
Thanks
Maria

Maria,
The usual way to do the authentication part is to use a custom page sentry function. Many examples have been posted on the forum based on the ntlm page sentry code. Search for those keywords here (ntml page sentry) and you should find it easily. Then you can modify it by adding the session timeout logic in that function.
Scott

Similar Messages

  • Session timeout and Custon login module

    Hi,
    Dev Platform: Jdev 10.1.3.4.0, Oracle 10.2.4
    I'm trying to trap the session timeout and display a page. I'm using the code below from Frank Nimphius. I've also provided a console log of what is happening when the application times out. Instead of the filter being called the system is calling the dblogin module and attempting to login the anonymous user. I renamed the anonymous user and I just see log entries where the system attempted to find the anonymous user.
    If I use the application to logout I get a Logout page with a button to confirm the logout. When I press the button the session is invalidated and the filter code brings up my "Session Timeout" notification page. This isn't what will happen in the end but I just wanted to tell you that the filter does work in certain instances.
    How can I make the system not attempt to login the anonymous user and have the filter code run?
    TIA, Dave
    package isdbs.view.security;
    import java.io.IOException;
    import javax.servlet.Filter;
    import javax.servlet.FilterChain;
    import javax.servlet.FilterConfig;
    import javax.servlet.ServletException;
    import javax.servlet.ServletRequest;
    import javax.servlet.ServletResponse;
    import javax.servlet.http.HttpServletRequest;
    import javax.servlet.http.HttpServletResponse;
    public class ApplicationSessionExpiryFilter implements Filter {
        private FilterConfig _filterConfig = null;
        public void init(FilterConfig filterConfig) throws ServletException {
            _filterConfig = filterConfig;
        public void destroy() {
            _filterConfig = null;
        public void doFilter(ServletRequest request, ServletResponse response,
                             FilterChain chain) throws IOException, ServletException {
            String requestedSession =   ((HttpServletRequest)request).getRequestedSessionId();
            String currentWebSession =  ((HttpServletRequest)request).getSession().getId();
            boolean sessionOk = currentWebSession.equalsIgnoreCase(requestedSession);
            // if the requested session is null then this is the first application
            // request and "false" is acceptable
            if (!sessionOk && requestedSession != null){
                // the session has expired or renewed. Redirect request
                ((HttpServletResponse) response).sendRedirect(_filterConfig.getInitParameter("SessionTimeoutRedirect"));
            else{
                chain.doFilter(request, response);
    }Mar 30, 2009 9:38:04 AM oracle.security.jazn.oc4j.RealmUserAdaptor isMemberOf
    FINE: JAAS-OC4J: Membership check for group: ISDBS_USER failed for user: anonymous
    09/03/30 09:38:04 [DBTableOraDatasourceLoginModule] option debug = true
    09/03/30 09:38:04 [DBTableOraDatasourceLoginModule] option log level = log all
    09/03/30 09:38:04 [DBTableOraDatasourceLoginModule] option logger class = null
    09/03/30 09:38:04 [DBTableOraDatasourceLoginModule] option data_source_name = jdbc/elearnDS
    09/03/30 09:38:04 [DBTableOraDatasourceLoginModule] option user table = TBL_LOGIN
    09/03/30 09:38:04 [DBTableOraDatasourceLoginModule] option roles table = XREF_LOGIN_ROLE
    09/03/30 09:38:04 [DBTableOraDatasourceLoginModule] option username column = LOGIN_NM
    09/03/30 09:38:04 [DBTableOraDatasourceLoginModule] option password column = PASSWORD
    09/03/30 09:38:04 [DBTableOraDatasourceLoginModule] option roles column = ROLE_NM
    09/03/30 09:38:04 [DBTableOraDatasourceLoginModule] option user pk column = LOGIN_NM
    09/03/30 09:38:04 [DBTableOraDatasourceLoginModule] option roles fk column = LOGIN_NM
    09/03/30 09:38:04 [DBTableOraDatasourceLoginModule] option password encoding class = oracle.sample.dbloginmodule.util.DBLoginModuleClearTextEncoder
    09/03/30 09:38:04 [DBTableOraDatasourceLoginModule] option realm_column = null
    09/03/30 09:38:04 [DBTableOraDatasourceLoginModule] option application_realm = null
    09/03/30 09:38:04 [DBTableOraDatasourceLoginModule] login called on DBTableLoginModule
    09/03/30 09:38:04 [DBTableOraDatasourceLoginModule] Calling callbackhandler ...
    09/03/30 09:38:04 [DBTableOraDatasourceLoginModule] Username returned by callback = null
    09/03/30 09:38:04 [DBTableOraDatasourceLoginModule] User query string: select LOGIN_NM,PASSWORD, LOGIN_ATTEMPTS, ACTIVE_IND from TBL_LOGIN where lower(LOGIN_NM)= lower((?))
    09/03/30 09:38:04 [DBTableOraDatasourceLoginModule] Logon Successful = false
    09/03/30 09:38:04 [DBTableOraDatasourceLoginModule] Abort called on LoginModule
    Mar 30, 2009 9:38:04 AM oracle.security.jazn.oc4j.OC4JUtil doJAASLogin
    WARNING: Login Failure: all modules ignored
    javax.security.auth.login.LoginException: Login Failure: all modules ignored
         at javax.security.auth.login.LoginContext.invoke(LoginContext.java:921)
         at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
         at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
         at java.security.AccessController.doPrivileged(Native Method)
         at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
         at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
         at oracle.security.jazn.oc4j.OC4JUtil.doJAASLogin(OC4JUtil.java:241)
         at oracle.security.jazn.oc4j.GenericUser$1.run(JAZNUserManager.java:818)
         at oracle.security.jazn.oc4j.OC4JUtil.doWithJAZNClsLdr(OC4JUtil.java:173)
         at oracle.security.jazn.oc4j.GenericUser.authenticate(JAZNUserManager.java:814)
         at oracle.security.jazn.oc4j.FilterUser.authenticate(JAZNUserManager.java:1143)
         at com.evermind.server.http.EvermindHttpServletRequest.checkAndSetRemoteUser(EvermindHttpServletRequest.java:3760)
         at com.evermind.server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:706)
         at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:453)
         at com.evermind.server.http.HttpRequestHandler.serveOneRequest(HttpRequestHandler.java:221)
         at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:122)
         at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:111)
         at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260)
         at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
         at java.lang.Thread.run(Thread.java:595)
    Mar 30, 2009 9:38:04 AM oracle.security.jazn.oc4j.GenericUser authenticate
    FINE: JAAS-OC4J: Authentication failure for user: null
    Mar 30, 2009 9:38:04 AM oracle.security.jazn.oc4j.RealmUserAdaptor isMemberOf
    FINE: JAAS-OC4J: Membership check for group: ISDBS_USER failed for user: anonymous

    I added an HttpSessionListener upon login here's what I get:
    09/03/31 08:21:25 Inside sessionCreated
    09/03/31 08:21:25 Before New session createb = 0
    09/03/31 08:21:25 Created session id: 854b4b95cf28ceb065d0489a31ee79c19feabb80716f6d828b77fc7044b210bf
    09/03/31 08:21:25 After New session count = 1
    At session timeout here's what I get:
    09/03/31 08:23:27 Count before destroyed = 1
    09/03/31 08:23:27 Destroyed session id: 854b4b95cf28ceb065d0489a31ee79c19feabb80716f6d828b77fc7044b210bf
    09/03/31 08:23:27 Count after destroyed = 0
    09/03/31 08:23:27 Inside sessionCreated
    09/03/31 08:23:27 Before New session createb = 0
    09/03/31 08:23:27 Created session id: 854b4b95cf28ceb065d0489a31ee79c19feabb80716f6d828b77fc7044b210bf
    09/03/31 08:23:27 After New session count = 1
    Notice that the session Id in each case is IDENTICAL. That is why the Filter code isn't doing what it is intended to do. Whay is the same session ID being created after it is destroyed? Is there a configuration parameter that controls it?
    Thanks,
    Dave

  • What is the difference between Session timeout and Short Session timeout Under Excel Service Application -- session management?

    Under Excel Service Application --> session management; what is the difference between Session timeout and Short Session timeout?

    Any call made from the API will automatically be set to the “Session Timeout” period, no matter
    what. Calls made from EWA (Excel Web Access) will get the “Short Session Timeout” period assigned to it initially.
    Short Session Timeout and Session Timeout in Excel Services
    Short Session Timeout and Session Timeout in Excel Services - Part 2
    Sessions and session time-outs in Excel Services
    above links are from old version but still applies to all.
    Please remember to mark your question as answered &Vote helpful,if this solves/helps your problem. ****************************************************************************************** Thanks -WS MCITP(SharePoint 2010, 2013) Blog: http://wscheema.com/blog

  • Session Timeout and Dynamic Actions

    Did anybody ever use the Session Timeout feature in APEX successfully?
    I have set an idle session timeout and provided an url to redirect to once the session is expired: Home > Application Builder > Application nnn > Shared Components > Edit Security Attributes > Session Timeout
    It works so far during the page rendering and page processing phase. But I have major problems with dynamic actions and custom ajax requests.
    Dynamic actions will just hang and simply don't return. Even worse, when I execute the dynamic action once the session is expired, the session seems to be physically deleted and thus the next click on a tab will not redirect to the expiration page but go straight to the login page.
    Did anybody make it work or is the best way to implement a custom session timeout?
    Thanks,
    Dietmar.

    Hi All,
    Check out the Session Timeout plug-in available here:
    http://skillbuilders.com/plugins
    Let me know if that helps.
    Regards,
    Dan
    blog: http://DanielMcghan.us/
    work: http://SkillBuilders.com/APEX/

  • Session Timeouts and SmbServer

    Hi,
    When having iFS mapped to a network drive (via SMB), the SMB server
    is unable to recover from a timeout of the LibrarySession. The network
    drive then seems to be empty and doing a refresh within explorer
    doesn't help either. The only thing that helps, is remapping the
    network drive.
    Within Node.log of iFS I see this stacktrace.
    7/10/02 9:02 AM SmbServer: oracle.ifs.common.IfsException
    oracle.ifs.common.IfsException: IFS-21000: Session is not connected or has timed-out
    at java.lang.Throwable.fillInStackTrace(Native Method)
    at java.lang.Throwable.fillInStackTrace(Compiled Code)
    at java.lang.Throwable.<init>(Compiled Code)
    at java.lang.Exception.<init>(Compiled Code)
    at oracle.ifs.common.IfsException.<init>(Compiled Code)
    at oracle.ifs.common.IfsException.<init>(Compiled Code)
    at oracle.ifs.common.IfsException.<init>(Compiled Code)
    at oracle.ifs.beans.LibraryObject.verifyConnected(Compiled Code)
    at oracle.ifs.beans.Folder.findPublicObjectByPath(Compiled Code)
    at oracle.ifs.beans.FolderPathResolver.findPublicObjectByPath(Compiled Code)
    at oracle.ifs.beans.FolderPathResolver.findPublicObjectByPath(Compiled Code)
    at oracle.ifs.protocols.smb.server.DbTree$DbQuery.<init>(Compiled Code)
    at oracle.ifs.protocols.smb.server.DbTree.getQuery(Compiled Code)
    at oracle.ifs.protocols.smb.server.ComTrans.trans2FindFirst(Compiled Code)
    at oracle.ifs.protocols.smb.server.ComTrans.replyTransaction2(Compiled Code)
    at oracle.ifs.protocols.smb.server.ComTrans.process(Compiled Code)
    at oracle.ifs.protocols.smb.server.ComSmb.handleSmbMessage(Compiled Code)
    at oracle.ifs.protocols.smb.server.SmbThread.handleNbMessage(Compiled Code)
    at oracle.ifs.protocols.smb.server.SmbThread.readPackets(Compiled Code)
    at oracle.ifs.protocols.smb.server.SmbThread.run(Compiled Code)
    This behavior actually causes us big problems when editing files via MS Office.
    Fortunately Office is able to still save it's data using some generated filename.
    (At least until now I could not create any data loss)
    But then you have to close it, remap then network drive, rename the file and then
    reopen the file. This is big trouble to users, which are not familiar with mapping
    network drives and renaming files with extensions.
    Is there a way to make the SmbServer keep the LibrarySession alive, as long as
    the network drive is mapped ?
    Regards,
    Jens Lorenz

    Workflow #2:
    Login to my account
    Click view all email
    Open Drafts Folder
    Open draft email response
    Select "Send" to send email (total in session time of 30 seconds)
    On screen reload, where I would expect to see some sort of indication that my email was successfully sent, instead the system throws session time out message and kicks me out.
    I have no idea if my email was successfully sent or not.
    Workflow #3:
    Login to my account
    Click view all email
    Attempted to open the first new email in my inbox (total time in session <15 seconds)
    System throws session timeout error and kicks me out to the main login.
    There is obviously something going on with your session holding code. The session variable is not being passed correctly or something but it's very, very frustrating to spend 30-45 minutes trying to type out a couple of lines, particularly when you have multiple important activities going on that you need to respond too via email.

  • Session timeout and custom sso

    Hi,
    can anyone tell me how the session and idle timeout feature in Apex exactly works?
    I built several applications in a workspace and do a sso authorization by setting a common cookie name. In addition to that i set the values for session length and idle timeout and assumed that the session length would be synchronized over all applications. But this doesn't seem to work. For instance, i set the idle timeout to 10 minutes in all applications and now i work for 15 minutes continously in application A and after that i switch over to application B (using the same session id!), the session is already expired in B.
    Is this behavior correct? And, if yes, how can i set up a synchronization over all applications?
    Jens

    Anyone?

  • Session Timeout and Url Redirect in BlazeDS?

    We have a JSF2 Webapp and Flex 4 integreated.
    Question
    1. How can we pass the parameters in web.xml to make FLEX4 redirect to login page when the session timeouts instead of giving a AMF Communication Error?
    Thanks,
    User.

    hi, i am also struggling with the same problem, have you got any solution

  • Session timeout and session.invalidate() -- are they the same?

    I was just wondering when a session timeout occurs (either by setting the session-timeout in web.xml or the server's default timeout), is the session automatically invalidated? Or should we call setMaxInactiveInterval() instead? Or is calling session.invalidate() the only way to invalidate a session?

    Hello all,
    Both are same in terms of functionality, but if you use both of them like
    1: You specified the tag sessionTimeout and
    2: in your program the session.maxInactiveIntervalTime( value ) here if the value is(we gave it in terms of seconds like for 40 minutes we give 2400) then the program code will override the value previously set in web.xml
    Thanks
    Prabhakar

  • BC4J/UIX: How to implement session timeout and logout?

    Hi,
    I need to implement logout function in my UIX application. We use JAZN basic authentication. So several things need to be done when user clicks 'logout'
    1. Any pending transaction is rolled-back.
    2. App Module - what to do with it?
    3. Browser closes or redirects to other page. Any attempts to go BACK will show either 'session expired' or will redirect to login page.
    Also I need a mechanism where if user is idle for say, 10 minutes, that he/she will be automatically logout (maybe after some warning message). How to do this?
    Thanks
    Rade

    Well if you search long enough, you will find your own answers. After months of not having this solved, I found the solution, in a piece of sample code from oracle that is distro with the OC4J stuff.
    if (request.getRemoteUser() != null) {
         // notes that the application is responsible for cleanup
         //invalidate the HttpSession
         HttpSession session = request.getSession();
         session.invalidate();
         String url=null;
         oracle.security.jazn.oc4j.WebSSOUtil.globalLogout(response,url);
         } else      out.println("You are not logged in!");
         out.println("</BODY>");
         out.println("</HTML>");
    This is the piece I was looking for, a way to kill off the SSO session. Now when I click logoff, the user is actually logged off the application and their HTTP session is killed off as well.
    Kelly

  • Url and DAD authentication

    apex v2.2
    Scenario is
    Apex users are authenticated using database authentication.
    Once authenticated the users may press a column link to a
    non apex DAD stored procedure call which then ask for autentication.
    sample call is - which executes a report request and pass back a pdf to the browser
    http://host:port/<dad>/<package.procedure>?param1=1
    Within the apex security model can I somehow bypass the user/pw challenge as the user signed in has permission to execute the call and a public user shouldn't have access
    This is the appex DAD
    <Location /pls/apex>
    SetHandler pls_handler
    Order deny,allow
    Allow from all
    AllowOverride None
    PlsqlDatabaseUsername APEX_PUBLIC_USER
    PlsqlDatabasePassword xxxxxxxx
    PlsqlDatabaseConnectString train:1521:training SIDformat
    PlsqlDefaultPage apex
    PlsqlDocumentTablename wwv_flow_file_objects$
    PlsqlDocumentPath docs
    PlsqlDocumentProcedure wwv_flow_file_mgr.process_download
    PlsqlAuthenticationMode Basic
    PlsqlNLSLanguage AMERICAN_AMERICA.AL32UTF8
    </Location>
    Any ideas ?
    Thanks
    Pete

    Still no joy!
    Currently there's a region with some items and a button
    when submitting the button GO, page process GO executes:
    htp.init;
    apex_application.g_page_text_generated := true;
    owa_util.mime_header ('application/x-sql',false);
    htp.p('Content-Disposition: attachment; filename=xxxxxxxxxxxx');
    owa_util.mime_header('application/pdf', false);
    owa_util.http_header_close;
    htp.p('Content-Disposition: attachment; filename=test.pdf');
    <package>.download_doc(517); -- see below
    "some processing takes place" but the document is not being displayed
    I've tried the different mime_header and Content-Disposition setttings
    Do I need to redirect the content sent from the server somewhere else?
    Calling the procedure via mod pl/sql works
    Thanks for your reply.
    Pete
    ===
    procedure download_doc(p_file_id upload_reports.ur_id%type
    ,p_mime_type varchar2 default 'application/pdf')
    as
    l_lob upload_reports.report_blob%type;
    l_mime varchar2(30);
    begin
    select f.report_blob
    into l_lob
    from upload_reports f
    where f.ur_id = p_file_id;
    owa_util.mime_header('application/pdf', false);
    owa_util.http_header_close;
    wpg_docload.download_file(l_lob);
    end;

  • Portal Session Timeout and Logon Ticket Timeout

    Hi All,
    Can anyone give me answers to the following:
    - If my Portal session times out, but my logon ticket is still valid, will I lose my session data?
    - Is there any way of determining the size of a users session information in memory (or the size of all user sessions in memory). I can see in the Monitoring service in Visual Admin the number of sessions but not their individual or total size.
    I'm using EP7.
    Cheers,
    Steve

    Hi,
    the Logon Ticket is only used for SSO between the portal and the integrated system. Your session data is stored in the session. If the session times out or gets closed, the session data is lost.
    br,
    Tobias

  • Session Timeout Setting in Business Intelligence Platform 4

    Greetings.  We are using Business Intelligence Platform 4 SP 2.5.  We use LDAP authentication for logging in to the CMC, BI Launchpad, and Lifecycle Management console.  Our sessions expire after 10 minutes (of either activity or inactivity).  I haven't been able to find the setting that controls the timeout.  Does anyone know?
    Thank you in advance,
    Dave

    Hi Dave,
    TO make the change for the timeout we need to navigate to following location:
    1. Program Files (x86)\SAP BusinessObjects\Tomcat6\webapps\BOE\WEB-INF
    2. Open the web.xml. Search for the "session-timeout" and change the value to as per your requirement.
    3. This change would take effect on both CMC and BI LaunchPad.
    4. Restart the Tomcat.
    At <INSTALLDIR>\Tomcat6\conf\web.xml change 30 to 60:
        <session-config>
            <session-timeout>60</session-timeout>
        </session-config>
    Regards,
    Sonia

  • ADF Faces : session timeout best practice

    hi
    I made these small modifications to the web.xml file in the SRDemoSample application:
    (a) I changed the login-config from this ...
      <login-config>
        <auth-method>FORM</auth-method>
        <form-login-config>
          <form-login-page>infrastructure/SRLogin.jspx</form-login-page>
          <form-error-page>infrastructure/SRLogin.jspx</form-error-page>
        </form-login-config>
      </login-config>... to this
      <login-config>
        <auth-method>BASIC</auth-method>
      </login-config>(b) I changed the session-timeout to 1 minute.
      <session-config>
        <session-timeout>1</session-timeout>
      </session-config>Please consider this scenario:
    (1) Run the UserInterface project of the SRDemoSample application in JDeveloper.
    (2) Authenticate using "sking" and password "welcome".
    (3) Click on the "My Service Requests" tab.
    (4) Click on a "Request Id" like "111". You should see a detail page titled "Service Request Information for SR # 111" that shows detail data on the service request.
    (5) Wait for at least one minute for the session to timeout.
    (6) Click on the "My Service Requests" tab again. I see the same detail page as in (4), now titled "Service Request Information for SR #" and not showing any detail data.
    question
    What is the best practice to detect such session timeouts and handle them in a user friendly way in an ADF Faces application?
    thanks
    Jan Vervecken

    Hi,
    no. Here's the content copied from a word doc:
    A frequent question on the JDeveloper OTN forum, and also one that has been asked by customers directly, is how to detect and graceful handle user session expiry due to user inactivity.
    The problem of user inactivity is that there is no way in JavaEE for the server to call the client when the session has expired. Though you could use JavaScript on the client display to count
    down the session timeout, eventually showing an alert or redirecting the browser, this goes with a lot of overhead. The main concern raised against unhandled session invalidation due to user
    inactivity is that the next user request leads to unpredictable results and errors messages. Because all information stored in the user session get lost upon session expiry, you can't recover the
    session and need to start over again. The solution to this problem is a servlet filter that works on top of the Faces servlet. The web.xml file would have the servlet configured as follows
    1.     <filter>
    2.         <filter-name>ApplicationSessionExpiryFilter</filter-name>
    3.         <filter-class>
    4.             adf.sample.ApplicationSessionExpiryFilter
    5.         </filter-class>
    6.         <init-param>
    7.             <param-name>SessionTimeoutRedirect</param-name>
    8.             <param-value>SessionHasExpired.jspx</param-value>
    9.         </init-param>
    10.     </filter>
    This configures the "ApplicationSessionExpiryFilter" servlet with an initialization parameter for the administrator to configure the page that the filter redirects the request to. In this
    example, the page is a simple JSP page that only prints a message so the user knows what has happened. Further in the web.xml file, the filter is assigned to the JavaServer Faces
    servlet as follows
    1.     <filter-mapping>
    2.             <filter-name>ApplicationSessionExpiryFilter</filter-name>
    3.             <servlet-name>Faces Servlet</servlet-name>
    4.         </filter-mapping>
    The Servlet filter code compares the session Id of the request with the current session Id. This nicely handles the issue of the JavaEE container implicitly creating a new user session for the incoming request.
    The only special case to be handled is where the incoming request doesn't have an associated session ID. This is the case for the initial application request.
    1.     package adf.sample;
    2.     
    3.     import java.io.IOException;
    4.     
    5.     import javax.servlet.Filter;
    6.     import javax.servlet.FilterChain;
    7.     import javax.servlet.FilterConfig;
    8.     import javax.servlet.ServletException;
    9.     import javax.servlet.ServletRequest;
    10.     import javax.servlet.ServletResponse;
    11.     import javax.servlet.http.HttpServletRequest;
    12.     import javax.servlet.http.HttpServletResponse;
    13.     
    14.     
    15.     public class ApplicationSessionExpiryFilter implements Filter {
    16.         private FilterConfig _filterConfig = null;
    17.        
    18.         public void init(FilterConfig filterConfig) throws ServletException {
    19.             _filterConfig = filterConfig;
    20.         }
    21.     
    22.         public void destroy() {
    23.             _filterConfig = null;
    24.         }
    25.     
    26.         public void doFilter(ServletRequest request, ServletResponse response,
    27.                              FilterChain chain) throws IOException, ServletException {
    28.     
    29.     
    30.             String requestedSession =   ((HttpServletRequest)request).getRequestedSessionId();
    31.             String currentWebSession =  ((HttpServletRequest)request).getSession().getId();
    32.            
    33.             boolean sessionOk = currentWebSession.equalsIgnoreCase(requestedSession);
    34.           
    35.             // if the requested session is null then this is the first application
    36.             // request and "false" is acceptable
    37.            
    38.             if (!sessionOk && requestedSession != null){
    39.                 // the session has expired or renewed. Redirect request
    40.                 ((HttpServletResponse) response).sendRedirect(_filterConfig.getInitParameter("SessionTimeoutRedirect"));
    41.             }
    42.             else{
    43.                 chain.doFilter(request, response);
    44.             }
    45.         }
    46.        
    47.     }
    This servlet filter works pretty well, except for sessions that are expired because of active session invalidation e.g. when nuking the session to log out of container managed authentication. In this case my
    recommendation is to extend line 39 to also include a check if security is required. This can be through another initialization parameter that holds the name of a page that the request is redirected to upon logout.
    In this case you don't redirect the request to the error page but continue with a newly created session.
    Ps.: For testing and development, set the following parameter in web.xml to 1 so you don't have to wait 35 minutes
    1.     <session-config>
    2.         <session-timeout>1</session-timeout>
    3.     </session-config> Frank
    Edited by: Frank Nimphius on Jun 9, 2011 8:19 AM

  • Netlet Session timeout

    Does anybody in this forum have problem with the netlet session timeout?
    We use Netlet to run Citrix applications behind the portal. The Netlet session gets killed at any moment in the range of 6 hours to 40 hours in the production environment. We use portal6.0 with NetletKeepAlive patch installed. Session timeout and idle timeout are set to 48 hours, keep alive interval in Netlet is 1 minute.
    For the user to access the portal (and application thereafter), he has to go through proxy server at his end, and firewall at server side.
    Without proxy and firewall in our test environment , the Netlet session stays much longer and is more predictable. Could the proxy server and firewall complicate the session? Thanks.

    Pl post details of OS and EBS versions.
    These docs may also help
    How To Fix The Forms Timeout Issue In Oracle Applications 11i          (Doc ID 269884.1)
    How to Control iStore Session Timeout          (Doc ID 377436.1)
    HTH
    Srini

  • Portal Session Timeout Setting

    There is a JServ session and a portal session. I know how to control session timeout and session clean up frequency in JServ - that's in zone.properties. But, I dont know how to set timeout for portal session, i.e., I'd like to have the user be forced to login again when he has been idle for 15 mins - and only if he has been idle. Jserv session settings are not sufficient for this because Portal has it's own session that must time out.
    How to set this timeout value (I'm using my own provider which has a timeout setting in zone.properties and includes a bunch of JSP portlets)? Also, is there a clean up thread for which the frequency has to be set?

    I've contacted metalink weeks ago, and this is NOW, a know bug...
    Incredible... Oracle just DO NOT TEST their products... Even a simple SESSION timeout do not work. Also, if I click back after "I log In and Log out" ... Session still up without have to login again!
    BUG 2442268

Maybe you are looking for