How to log operations logs to meet security audit requirements when Tomcat session is over

Known. In a real Web application, session management typically uses the Web container session management feature.

Using Tomcat to do webserver is also the case, and from a security standpoint, try to avoid changing and interfering with the session management capabilities of the Web container.

The Tomcat session management feature is definitely more comprehensive and reliable than what we do ourselves, and Tomcat is maintained by the mainstream open source community. Have a dedicated team to develop and maintain. Once a security breach is available, it can be repaired very quickly.

In the actual development, in order to meet the requirements of security audit. Once the Web application has a session logoff. The operation log should be logged. Logoff is generally divided into the operator active logoff, application detection to the exception attack active logoff session, timeout logoff session.

For active logoff and detection to an attack logoff session, the operation log can be very easy to record. Meet the requirements.

However, it is logged off for a timeout session. A lot of people feel no way to achieve, a more common method is to develop a heartbeat program, through the client page constantly send the heartbeat to the server, the server through the thread to receive heartbeat and rotation to time out, to log the operation log.

This allows you to record the effect of the Operation log. However, client to the server more than a lot of requests, once the system concurrency is very high, service-side business pressure will be added. is not a good way to handle it.

WebEasy can configure the session time-out. Should you be able to listen for session creation and logoff? The answer is yes, Tomcat can really be done by Httpsessionlistener. the session creation event occurs every time a new session is created. Similarly, a session failure event occurs at each time a session fails.

This interface also includes only two methods. corresponding to the creation and invalidation of the session, respectively:
public void sessioncreated (httpsessionevent se);

public void sessiondestroyed (httpsessionevent se);

So we just have to implement Httpsessionlistener. The ability to log operations logs is implemented in the Sessiondestroyed method.

In detail, we need to configure the Listener class, code examples and Web. XML configuration for the following:

1) Code example

public class SessionManager implements httpsessionlistener{public    void sessioncreated (httpsessionevent se)    {        // ....    }    public void sessiondestroyed (httpsessionevent se)    {        //...    }}

2) Web. XML configuration

<session-config>  <session-timeout>30</session-timeout>  </session-config> < listener>  <listener-class>com.test.SessionManager</listener-class>  </listener>  

How to log operations logs to meet security audit requirements when Tomcat session is over