How to record operation logs when Tomcat session times out to meet security audit requirements

As we all know, in actual Web applications, session management generally uses the Web Container session management function.

This is also true for using Tomcat as a Web server. In terms of security, try to avoid modifying and interfering with the session management function of Web containers.

The Tomcat session management function is certainly more comprehensive and reliable than we did. Besides, Tomcat is maintained by mainstream open-source communities and is developed and maintained by a dedicated team. Once a security vulnerability is discovered, it can also be quickly repaired.

In actual development, in order to meet the security audit requirements, once a web application cancels a session, it should record the operation log, logout is generally divided into active logout by the operator, abnormal attack detected by the application, active logout session, timeout logout session.

For active logout and attack logout sessions, operation logs can be easily recorded to meet the requirements.

However, many users feel unable to cancel timeout sessions. A common method is to develop a heartbeat program and send heartbeat requests to the server through the client page, the server receives heartbeat and training rounds through threads to log out and record operation logs.

Although this can achieve the effect of recording operation logs, but the client sends many requests to the server, once the system concurrency is high, the service pressure on the server will increase, not a good way to deal.

The Web can easily configure the Session Timeout time. Should it be able to listen to the creation and cancellation of sessions? The answer is yes. Tomcat can indeed be implemented through httpsessionlistener. The session creation event occurs every time a new session is created, similarly, a session failure event occurs when a session fails.

This interface also contains only two methods, corresponding to session creation and failure:
Public void sessioncreated (httpsessionevent SE );

Public void sessiondestroyed (httpsessionevent SE );

So we only need to implement httpsessionlistener, and the operation log can be recorded in the sessiondestroyed method.

Specifically, we need to configure the listener class in the web. xml file of our web application. The sample code and web. xml configuration are as follows:

1) Sample Code

public class SessionManager implements HttpSessionListener{    public void sessionCreated(HttpSessionEvent se)    {        // ....    }    public void sessionDestroyed(HttpSessionEvent se)    {        // ......    }}

2) web. xml configuration

<session-config>  <session-timeout>30</session-timeout>  </session-config> <listener>  <listener-class>com.test.SessionManager</listener-class>  </listener>  

How to record operation logs when Tomcat session times out to meet security audit requirements