Grails / Ext js: Make request without extending the session (Session Timeout)

Question

I need your advice on how to solve this problem. I have a grails webservice with spring security on the server, and ext js web page on the client. The session timeout (web.xml) is 30 minutes, and after that time of inactivity the user is logged of successfully.

Now I need to poll from the client side (ajax) to get new informations from the server. This is happening in the background every 2 minutes. (A push service would be nice here, but I can't use it for now...)

Because of the 2 minute request interval the 30 minute timeout is never reached and the user will never be logged off automatically.

• I use a session cookie on the client side, which is transferred to the server with every request.
• In this particular ajax request I additionally added BasicAuthentication params, to prevent spring security from using the session id from the request - but this is not working.
• It's not possible to remove the JSESSION ID from this request, it's always added by the browser.

How can I create a ajax request without extending the session?

Regards, grailsfan

Answer 1

In general you can not. Once the session is created, it gets always updated (lastAccessTime) when a request comes in.

You would have to implement this feature on your own. I did it couple of times, it's not that hard.

The idea is, you update the session.lastAccessMillis with the System.currentTimeMillis() inside a Grails before-Filter. The update should happen only for non-XHR requests. Then, you also check, if such a request came not too late, otherwise invalidate the session.

Something like

class SessionTimeoutFilters {

  def filters = {

    all( uri:'/**' ){

      before = {
        if( request.xhr ) return
        long now = System.currentTimeMillis()
        if( !session.lastAccessMillis || TIMEOUT < now - session.lastAccessMillis )
          session.lastAccessMillis = now
        else
          session.invalidate()
        }
      }
    }
  }
}

Answer 2

From injecteer's answer, the line:

TIMEOUT < now - session.lastAccessMillis

should be:

TIMEOUT > now - session.lastAccessMillis

---

class SessionTimeoutFilters {

  def filters = {

    all( uri:'/**' ){

      before = {
        if( request.xhr ) return
        long now = System.currentTimeMillis()
        if( !session.lastAccessMillis || TIMEOUT > now - session.lastAccessMillis )
          session.lastAccessMillis = now
        else
          session.invalidate()
        }
      }
    }
  }
}