swing app, how to make logout after time out

[John_Woo]

Hi,

I'm wondering, what's the idea to enable a swing app logout user as
soon as the session time out?

This's a online app as well, but what I want is, the JFrame itself
controls the logout, and send the logout time to server via socket.

The requirement is that, whenever a button clicked or menu items
changed by clicking on the sub-menu icon, then the session time refresh
to 0; Every icon in menu bar associated with a panel, and the buttons
on button-bar associated with actions.

This attemption leads to a challenging question: how to prevent user
changing the computer's time before session time out, to always keep
alive (I know we can use the server's time, but that is not a good
choose as there may be up to 1 million of users and the session time is
not stored in table)?

 

[Rogan Dawes]

Hi,

I'm wondering, what's the idea to enable a swing app logout user as
soon as the session time out?

This's a online app as well, but what I want is, the JFrame itself
controls the logout, and send the logout time to server via socket.

The requirement is that, whenever a button clicked or menu items
changed by clicking on the sub-menu icon, then the session time refresh
to 0; Every icon in menu bar associated with a panel, and the buttons
on button-bar associated with actions.

This attemption leads to a challenging question: how to prevent user
changing the computer's time before session time out, to always keep
alive (I know we can use the server's time, but that is not a good
choose as there may be up to 1 million of users and the session time is
not stored in table)?

If the session time is not stored on the server, the user has full
control over your application (reverse-engineering it, etc), and can
disable the timeout if desired.

The only secure way to implement this is to keep the session timeout
value on the server. You can ALSO keep it on the client, to allow you to
perform user-friendly actions (display a dialog, etc), but it MUST be
kept on the server too.

If you are planning on supporting 1 million simultaneous users, I
imagine that you'll have sufficient servers clustered to allow you to
maintain a session timeout too.

Regards,

Rogan

 

[Bob]

Hi,

I'm wondering, what's the idea to enable a swing app logout user as
soon as the session time out?

This's a online app as well, but what I want is, the JFrame itself
controls the logout, and send the logout time to server via socket.

The requirement is that, whenever a button clicked or menu items
changed by clicking on the sub-menu icon, then the session time refresh
to 0; Every icon in menu bar associated with a panel, and the buttons
on button-bar associated with actions.

This attemption leads to a challenging question: how to prevent user
changing the computer's time before session time out, to always keep
alive (I know we can use the server's time, but that is not a good
choose as there may be up to 1 million of users and the session time is
not stored in table)?

what about getting the local time when the app initializes and then
storing it and using it as reference? then even if the user changes the
comp's time, the initial time is stored and refrenced from?

just a thought....

 

[Oliver Wong]

what about getting the local time when the app initializes and then
storing it and using it as reference? then even if the user changes the
comp's time, the initial time is stored and refrenced from?

Let's say you get the local time when the app initializes, and it's
1152283228 (milliseconds since the Unix epoch). Some amount of time passes,
and the user modifies the system clock, and you get the time again, just to
check stuff. It says 1152283228 again. I.e. it would seem from your
perspective that zero time has passed, although in actuallity perhaps
several hours have elapsed.

- Oliver

 

[Bob]

Let's say you get the local time when the app initializes, and it's
1152283228 (milliseconds since the Unix epoch). Some amount of time passes,
and the user modifies the system clock, and you get the time again, just to
check stuff. It says 1152283228 again. I.e. it would seem from your
perspective that zero time has passed, although in actuallity perhaps
several hours have elapsed.

- Oliver

yeap, your right, sorry, it was not thought out on my end.

 

[Daniel Dyer]

Hi,

I'm wondering, what's the idea to enable a swing app logout user as
soon as the session time out?

This's a online app as well, but what I want is, the JFrame itself
controls the logout, and send the logout time to server via socket.

The requirement is that, whenever a button clicked or menu items
changed by clicking on the sub-menu icon, then the session time refresh
to 0; Every icon in menu bar associated with a panel, and the buttons
on button-bar associated with actions.

Use this to receive all of system-wide the AWTEvents (filtered by the mask
you specify):

http://java.sun.com/j2se/1.5.0/docs...EventListener(java.awt.event.AWTEventListener,
long)

You can then implement a single method to reset the timeout.

This attemption leads to a challenging question: how to prevent user
changing the computer's time before session time out, to always keep
alive (I know we can use the server's time, but that is not a good
choose as there may be up to 1 million of users and the session time is
not stored in table)?

Use this, it only measures elapsed time, not wall-clock time:

http://java.sun.com/j2se/1.5.0/docs/api/java/lang/System.html#nanoTime()


Dan.

 

[Thomas Hawtin]

Use this to receive all of system-wide the AWTEvents (filtered by the
mask you specify):

http://java.sun.com/j2se/1.5.0/docs...EventListener(java.awt.event.AWTEventListener,
long)

You wont be able to do that from a secure WebStart/JNLP application or
applet. But you should be able to override EventQueue.dispatchEvent
(although external copy & paste will stop working). Overriding postEvent
wont work as Toolkits generally don't go through it.

http://download.java.net/jdk6/docs/api/java/awt/EventQueue.html#dispatchEvent(java.awt.AWTEvent)

Tom Hawtin