In order to keep a page up-to-date or simulate notification push, we can fetching data from server by sending requests (eg. ajax) periodically. This is so-called polling, but this will cause security risks that session never timeout.
It's not easy to fix this issue with a simple configuration in web server (eg. Tomcat), since a REST API cannot differentiate if a request is from user activity or polling.
However, manual timeout management may be done to mitigate the issue.
- A filter for all requests that checks if timeout reaches from LAST_ACCESS_TIME
Long lastAccessTime = (Long)session.getAttribute("LAST_ACCESS_TIME");
if (lastAccessTime != null && System.currentTimeMillis() - lastAccessTime > TIMEOUT_THRESHOLD) {
// timeout: invalidte session
session.invalidate();
// TODO: send 401 status or redirect to logout
}- Another filter only mapping to user activity requests, that resets LAST_ACCESS_TIME (this filter should come after the previous one)
session.setAttribute("LAST_ACCESS_TIME", System.currentTimeMillis());