Logout redirects user to login page again after user tries login again when session timeouts

Question

In order to avoid session timeout in login page and the ViewExpiredException, I switch set state saving to client using:

 <context-param>
      <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
      <param-value>client</param-value>
 </context-param>

I noticed that when session timeouts, and I tried to log in again, I will be redirected to the last page I visited unless I get this error:

 ERROR [org.apache.catalina.connector.CoyoteAdapter] An exception or 
   error occurred in the container during the request processing                        
   java.lang.ArrayIndexOutOfBoundsException
 ERROR [org.apache.coyote.http11.Http11Processor] Error finishing response 
   java.lang.ArrayIndexOutOfBoundsException at java.lang.System.arraycopy(Native Method)

which redirects the user to the home page. I didn’t figure out yet how but I think it’s ok for now. My problem right now is when the user clicked the link for log out when the session timeouts, and tried to log in again, he will be redirected to the login page again. My observation is since it didn’t encounter the error above, it continued to perform what the logout link should perform which is to perform Identity.logout() and redirect the user to the login page. I thought the one who caused the redirection to login page were this line in the pages.xml.

<navigation from-action="#{identity.logout}">
      <end-conversation before-redirect="true" />
      <redirect view-id="/identifier.xhtml" />
</navigation>

But removing the lines didn’t fix the problem. Possible solutions are:

1. Excluding logout from being executed when session timeouts and the user tries to login again

2. Stop continuing every method when session timeouts and the user tries to login again and direct the user to the homepage instead just like a fresh login (I think this will also prevent the ArrayIndexOutOfBoundsException in Http11Processor)

What can you suggest the best ways on implementing this solutions? I am using jboss-soa 4.3.0 and jsf 1.1

 

Answer 1

I managed to do my solution 2 by removing these lines in the components.xml:

    <event type="org.jboss.seam.security.notLoggedIn">
      <action execute="#{redirect.captureCurrentView}"/>
      <action execute="#{identity.tryLogin}"/> 
    </event>
    <event type="org.jboss.seam.security.loginSuccessful">
        <action execute="#{redirect.returnToCapturedView}"/>
     </event>

 

Now every time session expires and the user tries to login, he is redirected to the homepage. This is enough to fix my logout problem and remove the ArrayIndexOutOfBoundsException for now unless they want to recover the last page the user has visited.

Answer 2

It is my solution in my project like you. It is using Servlet Filter.

Assume => After login process, user object might keep in session with id "loginUser".

public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
    HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;
    HttpServletResponse httpResponse = (HttpServletResponse) servletResponse;
    HttpSession session = httpRequest.getSession();
    User user = (User) session.getAttribute("loginUser");
    if (user != null) {
        filterChain.doFilter(servletRequest, servletResponse);
    } else {
        httpResponse.sendRedirect(httpRequest.getContextPath() + "/login.xhtml");
    }
}