Http Session Creation and Destroy Events...

Posted on the 04 February 2014 by Araldam @araldam
HttpSession is one of the commonly used way of identifying users across multiple requests between clients and servers. In order to provide various services such as authentication, authorization etc. for users and to store user information, logging and audit purposes, it is required to keep track of newly created sessions, active sessions and session destroy events. HttpSessionListener interface in servlet API provides methods to receive session events for its implementation classes published by the servlet container.
Lets look at a sample class 'WebSessionListener' which implements "HttpSessionListener" interface.
import javax.servlet.http.HttpSessionEvent;
import javax.servlet.http.HttpSessionListener;
public class WebSessionListener implements HttpSessionListener {

//Notification that a session was created.
@Override
public void sessionCreated(HttpSessionEvent httpSessionCreatedEvent) {
}

//Notification that a session is about to be invalidated.
@Override
public void sessionDestroyed(HttpSessionEvent httpSessionDestroyedEvent) {
}
}
To receive notification events, the implementation class must be configured, commonly referred as registered  in the deployment descriptor (web.xml)  of the web application as follows.


com.araTechBlog.sample.listeners.WebSessionListener

Any change in active sessions, i.e. Session creation, Session Timeout etc. can be monitored and necessary actions can be performed depending on the requirements.  HttpSession Object can be accessed via session event object which represents event notifications for changes to sessions within a web application.
HttpSession httpSession = httpSessionEvent.getSession();

Both Session invalidation and session timeout(expiry) are notified via same sessionDestroyed event and can't be distinguished using this method.
If you use Spring Security, application context can be accessed using 'context.getBean()' method as follows inside the listner.
 WebApplicationContext context = ContextLoader.getCurrentWebApplicationContext();
CustomUserBean user= (CustomUserBean) context.getBean("customUser");

In a Spring environment. best practice is to use 'ApplicationListener' interface provided by the spring framework to receive session events.
In order to use ApplicationListner as a session event notifier,
You need to register 'HttpSessionEventPublisher' in the web.xml, which is the event publisher of the spring framework. If you look at the implementation of 'HttpSessionEventPublisher', you will see that it also implements the 'HttpSessionListener' and publish the session events to the Spring Root WebApplicationContext receieved from the servlet container.


org.springframework.security.web.session.HttpSessionEventPublisher


Define you bean in the security.xml


Implement 'ApplicationListener' in your implementation.
import org.springframework.context.ApplicationEvent;
import org.springframework.context.ApplicationListener;
import org.springframework.security.web.session.HttpSessionCreatedEvent;
import org.springframework.security.web.session.HttpSessionDestroyedEvent;
import javax.servlet.http.HttpSession;
import org.apache.log4j.Logger
public class WebSessionListener implements ApplicationListener<ApplicationEvent> {

private static final Logger LOG = Logger.getLogger(WebSessionListener.class);
@Override
public void onApplicationEvent(ApplicationEvent applicationEvent) {

if(applicationEvent instanceof HttpSessionCreatedEvent){ //If event is a session created event
HttpSession httpSession = httpSessionDestroyedEvent.getSession(); //get session object
String sessionId = httpSession.getId(); //get session id
....
persistSessionData(sessionId); //save session data to DB
LOG.debug(" Session is invalidated |SESSION_ID :" + sessionId ); //log data

}else if(applicationEvent instanceof HttpSessionDestroyedEvent){ //If event is a session destroy event
...
}else{
...
}
}
}

Thoughts are welcome...