how to differentiate a new log in (new Session) and a session time out

Question

Could someone let me know how to differentiate a new log in (new Session) and a session time out .
Only on login : user must be authenticated and redirected to a servlet to load user details (on other screnarios user must not be redirected to the servlet) and on timeout user must be redirected to the timeout page.
To identify a new session (user not logged in):
-- Session attributes cannot be used since the session becomes null on timeout.
-- Setting cookies for session management didnt work. The cookies are getting removed for the current session

Cookie cookie = new Cookie("activeSession", null);
cookie.setMaxAge(0);
cookie.setPath("/");
cookie.setValue("");
httpServletResponse.addCookie(cookie);
getCookieValue(httpServletRequest , "activeSession"); returns null
public static String getCookieValue(HttpServletRequest request, String name) {
    Cookie[] cookies = request.getCookies();
    if (cookies != null) {
        for (Cookie cookie : cookies) {
            if (cookie != null && name.equals(cookie.getName())) {
                return cookie.getValue();
            }
        }
    }
    return null;
}

After logout or Timeout (session is invalidated) when user logs in and a new session is created. The cookies that were removed in the previous sessions reappears with the preset values.

 getCookieValue(httpServletRequest , "activeSession") returns a value; 

If I use the below approach it works for the 1 st login attempt. After the first login session has timedout ,the filter redirects to timeout page. The actual problem arises when user accesses the application in the same window after timeout.

public void doFilter(ServletRequest request, ServletResponse response,FilterChain   filterChain) throws IOException,
{   if ((request instanceof HttpServletRequest)
            && (response instanceof HttpServletResponse)) {
HttpServletRequest httpServletRequest = (HttpServletRequest) request;

HttpServletResponse httpServletResponse = (HttpServletResponse) response;

//Check for a new login 
if (httpServletRequest.getSession(false) == null  && httpServletRequest.getRequestedSessionId()==null)
{
// Create a new session
httpServletRequest.getSession();
//Redirect to servlet on 1 st login to fetch details from DB
httpRequest.getRequestDispatcher("/loginServlet").forward(request,response);
}else{

//validate active or timedout sessions. 
boolean isSessionValid = (httpServletRequest.getRequestedSessionId() != null) && !httpServletRequest.isRequestedSessionIdValid();

if(isSessionValid)
{
httpServletResponse.sendRedirect(getTimeoutPage());
}
}
}
filterChain.doFilter(request, response);
}

Therefore the details are not fetched from DB and the page is not loaded correctly.

Browser:IE 8 Server : Weblogic server

Answer 1

Your cookie approach is unnecessary and technically invalid. A max age of 0 makes it to expire immediately when the response is processed. But anyway, you don't need an additional cookie. The HttpSession is by itself already backed by a cookie and the Servlet API already offers methods to check the one and other. Just store the logged-in user as an attribute of the HttpSession (which can in turn be a session scoped JSF managed bean).

The following example should do, assuming that you've stored the logged-in user as a property of a session scoped JSF managed bean with the managed bean name "auth".

public void doFilter(ServletRequest request, ServletResponse response, FilterChain   chain) throws ServletException, IOException {
    HttpServletRequest req = (HttpServletRequest) request;
    HttpServletResponse res = (HttpServletResponse) response;
    Authenticator auth = (Authenticator) req.getSession().getAttribute("auth");

    if (req.getRequestedSessionId() != null && !req.isRequestedSessionIdValid()) {
        res.sendRedirect(req.getContextPath() + "/timeout.xhtml");
    } else if (auth == null || !auth.isLoggedIn()) {
        res.sendRedirect(req.getContextPath() + "/login.xhtml");
    } else {
        chain.doFilter(request, response);
    }
}