Server polling with session timeout
Recently I faced a challenge where I had to implement session timeout after some time of idleness on an application. This application had a client polling server every few seconds. This was not a straight forward task.
Http session in every other web server takes care of session timeouts on their own. If there is no server call / ajax or user interaction with the page for predefined (defined in session.timeout in config) amount of time. The server will expire session and user will logout.
But in a scenario where your application is polling server to get updates every few seconds, the session does not get timed out. Why?
Well, on every request that goes to the server, the timeout on session is reset. This can be verified in browser cookies. The cookie should be with a name like sessoin_id with a max_age attribute. Notice that with every request to server this cookie max_age will get updated.
Take the example of an application where the cricket score gets updated by a polling request every 5 sec. Say the request is http://domain.com/cricket/get_score.
The session will not timeout as we are polling the server every 5 secs.
Here is a solution to make the session timeout. The following code is written for python server cherrypy. But you can implement the same logic for any other server.
The first step is to execute following line whenever a request is received at cricket/get_score URL. This will save timestamp of the first hit into the session.
cherrypy.session[‘prevent_session’] = time.time()On consecutive hits, we will compare the time difference between the current time and the first timestamp URL cricket/get_score was hit i.e. active_session_time. If the time difference is more than the set server timeout value i.e. server timeout, we expire the session and return an http 401 error.
prevent_session = cherrypy.session.get('prevent_session', None)
if prevent_session:
active_session_time = time.time() - prevent_session
if active_session_time > serverTimeout * 60:
cherrypy.lib.sessions.expire()
raise cherrypy.HTTPError(401)This looks good till now. But what if a user navigates to other URL and comes back to cricket/get_score page. We need to delete prevent_session from session dict whenever the user navigates to any other URL. When the user returns to this page, we will save the current timestamp in session again.
del cherrypy.session[‘prevent_session’]Putting all the code together
def prevent_session_extend(clear=True):
prevent_session = cherrypy.session.get('prevent_session', None)
if prevent_session:
active_session_time = time.time() - prevent_session
if active_session_time > serverTimeout * 60:
cherrypy.lib.sessions.expire()
raise cherrypy.HTTPError(401)
else:
cherrypy.session['prevent_session'] = time.time()def delete_prevent_session_flag():
prevent_session = cherrypy.session.get('prevent_session', None)
if prevent_session:
del cherrypy.session['prevent_session']
We can configure function prevent_session_extend on ‘cricket/get_score’ URL and delete_prevent_session_flag on root URL in server config like below.
{
'/': {
'tools.delete_prevent_session_flag.on': True,
.
.
.
},
'cricket/get_score': {
'tools.prevent_session_extend.on': True,
.
.
}
}The below lines will configure hooks for our functions to be executed when the user hits the URLs.
cherrypy.tools.prevent_session_extend = cherrypy.Tool("before_handler", prevent_session_extend)cherrypy.tools.delete_prevent_session_flag= cherrypy.Tool("before_handler", delete_prevent_session_flag)
Hope this helps in achieving session timeouts with server polling requests.
Happy Coding!!
Lokesh Pathrabe