|
»
»
Programmatically detecting login or logout events
|
View:
New views
9 Messages
—
Rating Filter:
Alert me
|
 |
Programmatically detecting login or logout events
by MartinOShea
::
Rate this Message:
Hello
I'm trying to find a way to detect the events caused when a user logs into or logs out of an application I'm working on. I want to record these events so that I know the exact steps a user has taken through the application's JSPs and servlets. I want to do this without reference to the Apache Tomcat server logs as well. I have tried the following code in index.jsp (which is serving as each user's home page): <% if (request.getParameter("logoff") != null) { session.invalidate(); response.sendRedirect("/myDataSharer/jsp/user/index.jsp"); return; } %> And I have tried using variations like: <% if (request.getParameter("logon") == true) { But without success. I have used request.getRemoteUser() at various points in the application to identify the current user when they are authenticated by Apache Tomcat. However, request.getRemoteUser() does not tell me when the user logged in or off. Does anyone know a way that the login and logout events can be recorded by an event in a program, a session object and so on? I'm using NetBeans 6.1 with Apache Tomcat 6.X. Thanks Martin O'Shea. |
|
|
Re: Programmatically detecting login or logout events
by Mark Thomas
::
Rate this Message:
MartinOShea wrote:
> I have used request.getRemoteUser() at various points in the application to > identify the current user when they are authenticated by Apache Tomcat. > However, request.getRemoteUser() does not tell me when the user logged in > or off. request.getRemoteUser() tells you if the user is authenticated. > Does anyone know a way that the login and logout events can be recorded by > an event in a program, a session object and so on? Have you looked at session listeners? It depends what you mean by login and logout. If login is the transition from request.getRemoteUser()==null to request.getRemoteUser()!=null and logout is when the session is invalidated then a combination of request.getRemoteUser() and a session listener should be all you need. Mark --------------------------------------------------------------------- To start a new topic, e-mail: users@... To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
|
|
Re: Programmatically detecting login or logout events
by MartinOShea
::
Rate this Message:
Mark By login or logout, I mean the actual physical login and logout actions by the user concerned which I expect translate to request.getRemoteUser()==null for logout and request.getRemoteUser()!=null for login. But I'm not familiar with session listeners so I will be looking at them later. Do you have any sample code at all? Thanks Martin O'Shea. |
|
|
Re: Programmatically detecting login or logout events
by Johnny Kewl
::
Rate this Message:
----- Original Message ----- From: "MartinOShea" <appy74@...> To: <users@...> Sent: Monday, July 28, 2008 10:15 AM Subject: Programmatically detecting login or logout events > > Hello > > I'm trying to find a way to detect the events caused when a user logs into > or logs out of an application I'm working on. I want to record these > events > so that I know the exact steps a user has taken through the application's > JSPs and servlets. I want to do this without reference to the Apache > Tomcat > server logs as well. > > I have tried the following code in index.jsp (which is serving as each > user's home page): > > <% if (request.getParameter("logoff") != null) { > session.invalidate(); > response.sendRedirect("/myDataSharer/jsp/user/index.jsp"); > return; > } %> > > And I have tried using variations like: > > <% if (request.getParameter("logon") == true) { > > But without success. > > I have used request.getRemoteUser() at various points in the application > to > identify the current user when they are authenticated by Apache Tomcat. > However, request.getRemoteUser() does not tell me when the user logged in > or off. > > Does anyone know a way that the login and logout events can be recorded by > an event in a program, a session object and so on? > Martin the problem is that even when you invalidat the session... the browser itself still knows that the user is cool... So TC will send it a new session ID and it will return the info without even asking the user to logon as such... Even when a user opens a new page in the browser... it knows they "still" cool Until the browser is closed they logged on ;) And there is no direct "the browser is gone event"... browsers are stateless yada yada if request.getRemoteUser() has the users name... they on... you dont know when they off but you can track the user... either you have that in every page and if you get a name you record time page url... or you can stick that in a filter... which sits in front of all your pages, so you dont have to doctor every page on a site... You know when they in... you dont know when they gone.. Some security systems do have the ability to timeout dormant browsers... ie the user has left it open and left their desk, but TC I dont think can do that without addon tools. request.getRemoteUser() in a filter will do what you need I think... you can track em... but you dont know when they having lunch ;) Good Luck --------------------------------------------------------------------------- HARBOR : http://www.kewlstuff.co.za/index.htm The most powerful application server on earth. The only real POJO Application Server. See it in Action : http://www.kewlstuff.co.za/cd_tut_swf/whatisejb1.htm --------------------------------------------------------------------------- --------------------------------------------------------------------- To start a new topic, e-mail: users@... To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
|
|
Re: Programmatically detecting login or logout events
by Alan Chaney
::
Rate this Message:
> Martin the problem is that even when you invalidat the session... the > browser itself still knows that the user is cool... > So TC will send it a new session ID and it will return the info without > even asking the user to logon as such... > Please indicate the part of the Tomcat code which makes the above behavior happen. I quote from the Servlet 2.4 spec. "If the user is authenticated using form login and has created an HTTP session, the timeout or invalidation of that sessions leads to the user being logged out in the sense that subsequent requests must be re-authenticated." (SRV.12.5.3.1 Login Form Notes) so I don't think what you say is correct. > Even when a user opens a new page in the browser... it knows they > "still" cool > Until the browser is closed they logged on ;) > And there is no direct "the browser is gone event"... browsers are > stateless yada yada This isn't actually correct. Invalidating the session on the server means that the browser's record of the session is as though the session never existed. Tomcat will no longer 'associate' session state with the session Id provided by the browser and all the state in the session is lost (unless persisted by an application.) request.getRemoteUser() will return null because the browser and server can no longer agree on a sessionID, this is as other contributors have said the 'logged out' state. The standard servlet authentication mechanisms will redirect any furtheraccess to protected pages to the selected login mechanism as soon as the session is invalidated. > > if request.getRemoteUser() has the users name... they on... you dont > know when they off > > but you can track the user... either you have that in every page and if > you get a name you record time page url... > or you can stick that in a filter... which sits in front of all your > pages, so you dont have to doctor every page on a site... > > You know when they in... you dont know when they gone.. It is true that unless you have some javascript code which specifically generates an event to say that the browser is logged out AND the network connection is still valid, you don't actually know that the browser has 'gone'. However, you can easily generate a session timeout event. I have actually implemented user state logging (detect log in event, detect navigation events and detect either manual logout or session timeout and it works fine. It is driven entirely from looking at the state of 'getRemoteUser' and the session timeout event. Regards Alan Chaney --------------------------------------------------------------------- To start a new topic, e-mail: users@... To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
|
|
Re: Programmatically detecting login or logout events
by David Smith-2
::
Rate this Message:
> Martin the problem is that even when you invalidat the session... the
> browser itself still knows that the user is cool... > So TC will send it a new session ID and it will return the info > without even asking the user to logon as such... I can see this happening ONLY if the user is authenticating via BASIC auth or using a front end like Apache Httpd to perform authentication. With Form authentication, this behavior would not happen. With form auth, the user would be redirected to the login page before a secured page ever received another request from that user. --David Alan Chaney wrote: > >> Martin the problem is that even when you invalidat the session... the >> browser itself still knows that the user is cool... >> So TC will send it a new session ID and it will return the info >> without even asking the user to logon as such... >> > > Please indicate the part of the Tomcat code which makes the above > behavior happen. I quote from the Servlet 2.4 spec. > > "If the user is authenticated using form login and has created an HTTP > session, the timeout or invalidation of that sessions leads to the > user being logged out in the sense that subsequent requests must be > re-authenticated." (SRV.12.5.3.1 Login Form Notes) > > so I don't think what you say is correct. > > >> Even when a user opens a new page in the browser... it knows they >> "still" cool >> Until the browser is closed they logged on ;) >> And there is no direct "the browser is gone event"... browsers are >> stateless yada yada > > This isn't actually correct. Invalidating the session on the server > means that the browser's record of the session is as though the > session never existed. Tomcat will no longer 'associate' session state > with the session Id provided by the browser and all the state in the > session is lost (unless persisted by an application.) > > request.getRemoteUser() will return null because the browser and > server can no longer agree on a sessionID, this is as other > contributors have said the 'logged out' state. > > The standard servlet authentication mechanisms will redirect any > furtheraccess to protected pages to the selected login mechanism as > soon as the session is invalidated. > >> >> if request.getRemoteUser() has the users name... they on... you dont >> know when they off >> >> but you can track the user... either you have that in every page and >> if you get a name you record time page url... >> or you can stick that in a filter... which sits in front of all your >> pages, so you dont have to doctor every page on a site... >> >> You know when they in... you dont know when they gone.. > > It is true that unless you have some javascript code which > specifically generates an event to say that the browser is logged out > AND the network connection is still valid, you don't actually know > that the browser has 'gone'. However, you can easily generate a > session timeout event. > > I have actually implemented user state logging (detect log in event, > detect navigation events and detect either manual logout or session > timeout and it works fine. It is driven entirely from looking at the > state of 'getRemoteUser' and the session timeout event. > > Regards > > Alan Chaney --------------------------------------------------------------------- To start a new topic, e-mail: users@... To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
|
|
Re: Programmatically detecting login or logout events
by Christopher Schultz-2
::
Rate this Message:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Martin, MartinOShea wrote: | I'm trying to find a way to detect the events caused when a user logs into | or logs out of an application I'm working on. There is no good way to do this in Tomcat. In order to do something similar (we want to load user preferences from the database after login), we created a Filter that checks every request for a session containing a "user" object. If the user object is not present, we perform the "login" (which is actually /after/ the authentication and authorization), load whatever we want from the database, etc., and then put the "user" object into the session. After that, the Filter basically does nothing. As for logout, you really only have one option: use a SessionListener to observe sessionDestroyed events. If your users never explicitly log out of your application, then you will only be notified when their sessions time-out. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkiRzeMACgkQ9CaO5/Lv0PAKqwCgsEDoZVioBnq1yy2MsOqtH9Pc DcMAn3lqm0G11gA+JGGdlfRkStkI/M8x =tIGF -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@... To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
|
|
Re: Programmatically detecting login or logout events
by MartinOShea
::
Rate this Message:
Chris
Thanks for the reply. In the various servlets making up this application, I don't currently have a user object in every request but tend to use request.getRemoteUser() where necessary. This also to minimizes traffic. But what you've suggested is good. Thanks Martin O'Shea. |
|
|
Re: Programmatically detecting login or logout events
by Christopher Schultz-2
::
Rate this Message:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Martin, MartinOShea wrote: | Thanks for the reply. In the various servlets making up this application, I | don't currently have a user object in every request but tend to use | request.getRemoteUser() where necessary. This also to minimizes traffic. But | what you've suggested is good. You don't necessarily need a user object -- just something that you can use as a marker in the session to indicate that you have processed the login. It can be as simple as a key and Boolean.TRUE stuffed in there. Don't make things more complicated than necessary. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkiU+GQACgkQ9CaO5/Lv0PD1VgCgvmVzKNO2g8VrR4JXaj4YEuoS pNcAnjbtQdLBAIgNxLQmjUie/fw2lrEi =L9rd -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@... To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
| Free embeddable forum powered by Nabble | Forum Help |
