Custom redirect after logout?

Support
#1

Jmix v2.3.1

I would like to have the user redirected to a static page after logout (instead of the login page). I’m not sure if this is Spring, Vaadin, or Jmix and I have not found any examples.

The specific questions would be: 1) how do I configure it, 2) where should I place my static html page?

The problem I am trying to solve is forgetful users. I have a 30 minute inactive timeout which works, and it takes them to the login page. If they don’t close their browser then Vaadin keeps sending requests to the server with an invalid key, and this causes warning messages in the log. These occur about once an hour, sometimes for days.

WARN 843451 --- [at-handler-3854] c.v.f.s.c.UidlRequestHandler             : Invalid security key received from 1.2.3.4
WARN 843451 --- [at-handler-3856] c.v.f.server.communication.PushHandler   : Invalid identifier in new connection received from 0.0.0.0
WARN 843451 --- [at-handler-3858] c.v.f.s.c.UidlRequestHandler             : Invalid security key received from 1.2.3.4
#2

Hello,

Did you try to set vaadin.closeIdleSessions = true?

Thanks

#3

I have vaadin.servlet.close-idle-sessions=true is that the same?

#4

I guess yes. Do you use application.properties for the app configuration? Could you please provide settings from it related to the issue?

#5

I use these settings (related to forum post Inactivity timeout )

The settings are:

server.servlet.session.timeout=30m
vaadin.servlet.close-idle-sessions=true
vaadin.heartbeatInterval=-1

The timeout seems to be working fine. My problem is that the user is taken back to the login screen where the Vaadin scripts will continually send requests to the server because the user does not close the browser.

Part of the reason for the invalid key could be the server was restarted and now the client and server are out of sync. But again, I think the root of the problem is the chatty login page. If the user could be taken to a static HTML page instead then there would be no more requests made after logout.

#6

This setting is for a web server session.
server.servlet.session.timeout=30m

When a timeout occures, web server session is destroyed, but vaadin session is still alive.

Accordingly to vaadin documentation, there is no timeout if value is set to negaitve vaadin.heartbeatInterval=-1.

So, I assume you need to set:

server.servlet.session.timeout=30m
vaadin.servlet.closeIdleSessions=true

and remove this string:

vaadin.heartbeatInterval=-1

If there is no web app activity, a web server session will be destroyed in 30 minutes. The vaadin session will be destroyed in about 45 minutes (30m web server session timeout and three heartbeat intervals with no response). There will be no any requests after that.

#7

In my experience, the heartbeat prevented the server time out because it regularly caused activity that reset the timer. So the server session would never time out while the heartbeat was active.

Or maybe the heartbeat interval needs to be longer than the server timeout? For example, server session time out 30 minutes, and heartbeat 35 minutes?

#8

Yes, heartbeat keeps the session alive. But we want to close idle sessions. For this purpose we use vaadin.servlet.closeIdleSessions=true. Now, if a user doesn’t close a browser tab, Vaadin will close user session after server.servlet.session.timeout and three heartbeat intervals (5 minutes by default).

You can see additional information here.

#9

I just tried your recommendation. Settings in application.properties are:

server.servlet.session.timeout=30m
vaadin.servlet.close-idle-sessions=true
#vaadin.heartbeatInterval=-1

I started the application, logged in, and opened a view, then walked away. I had the dev tools open and could see the 5 minute heartbeat requests.

I came back after 52 minutes and the view was still open on the browser. I clicked a menu item and successfully navigated to another view, so my session was still valid. This does not meet the requirement of logging a user out when they have been inactive for 30 minutes.

#10

Could you please try set vaadin.closeIdleSessions=true not the vaadin.servlet.close-idle-sessions=true?

#11

Same result. With these settings:

server.servlet.session.timeout=30m
#vaadin.servlet.close-idle-sessions=true
vaadin.closeIdleSessions=true
#vaadin.heartbeatInterval=-1

After waiting 1 hour the view was still open, and navigating to a different view was successful.

#12

I tried another experiment with the heartbeat disabled and vaadin.closeIdleSessions=true.

Like my original settings, this DOES log the user out after 30 min of inactivity. I don’t notice any difference with the alternate closeIdleSessions spelling. The browser is redirected back to the login page. As I tried to say before, I am not having a problem with the timeout / logout. My problem is about how the login page continually issues requests even when you don’t touch it.

For example, I let the above timeout happen and then waited another 2-3 hours. I see these requests issued about every 30 minutes. It appears like the login page is reloading itself on a 30 minute timer.

image

So, back to my original question. I don’t want the user to sit on a page that sends requests every 30 minutes. How do I redirect them to a static (not Vaadin) page after logout? The page would simply say “you have been logged out” and maybe “click here to log in again”. This would eliminate the continual flow of requests and make supporting my app easier.

#13

Hello Jeff,

I prepared logout example with static page.
LogoutExample.zip (103.1 KB)

This project contains the SessionManager bean. It overrides Vaadin SystemMessages settings and sets the redirect url for an expired session.
The static page is located here: resources/META-INF/resources/logout.html

The settings which we discussed yesterday manage the Vaadin session. So if you click on the link on the static page you’ll be redirected to the login page if the Vaadin session has been closed.

#14

Hello, :wave:

As per my knowledge, To redirect users to a static page after logout in Jmix, you’ll need to modify your application’s security configuration. You need to follow these steps:

  • In your security configuration class, override the logout success handler to redirect to your static page instead of the default login page. You can do this in the WebSecurityConfigurerAdapter by customizing the logoutSuccessHandler.

  • Place your static HTML page in the src/main/resources/static directory of your project. This is where Spring serves static content by default.

This setup should help prevent the issue with invalid security keys, as users will be taken to a static page and won’t trigger unnecessary requests after they’re logged out.

I hope this will help you!

Respected community member! :blush:

#15

Thank you for the example. I tried your project and the screen does navigate to the static page after a few minutes, but the user is not logged out. Navigating back to / displays the main view again. In fact, clicking the logout button also does not log the user out. You mentioned the Vaadin session closing, but how does that happen? With a 1 second heartbeat, shouldn’t that close after 3 seconds?

#16

The user stays logged in, because we don’t close the Vaadin session. We just do redirect when the http session expires. Then Vaadin gets three heartbeat requests without response and removes the UI from its session. Now if we have vaadin.closeIdleSession=true, Vaadin checks if the session is still active. To do this, Vaadin stores the time of the latest success request and if the elapsed time is greater than WrappedSession.getMaxInactiveInterval(), the current session is closed. The maxInactiveInterval is equal to server.servlet.session.timeout.

The example with the logout button does the same thing and doesn’t log out the user. It is just an example. I think you should consider security reasons and don’t allow to do logout without “real” logout.

Knowing all these features I think you will be able to set up a suitable workflow.