在桌面应用程序中管理登录会话：在哪个层？

Question

I have to fulfill the following requirement:

[...]if the logged user is idle for more than 30 minutes, he has to be logged out.

where idle means "doesn't press mouse nor keyboard".

Now, I was pretty sure about how to achieve this when I first read it: to me it sounded like a requirement that has to do with business logic, so I should have realized it in the business layer (having a 3-layers architecture).
Here some code:

// simplified and generalized version of my login method
public boolean login(String email, String password) {
    user = dao.read(email, password); //returns either null or the user
    boolean logged = user != null;
    if (logged) {
       // initialize Session somehow, let's say for example:
        Session.start();
    }
    return logged;
}

// simplified and generalized version of my logout method
public void logout() {
    operatore = null;
    // terminate Session somehow, let's say for example:
    Session.destroy();
}

This would be ideal, but there's one problem: Session should know how to detect user inactivity (and then fire logout() method)... but unfortunately this entirely depends on how the GUI is made!
[just to be clear: I know I to achieve this, but I'd like to do it independently on how I realize UI (eg Java Swing, command-line, web-based, etc)]

I mean, business layer can't (and shouldn't imo) catch user events/interaction so I should necessary realize Session in the GUI package and use it from there : in my design a layer should only interact with its strictly lower layer's interfaces and should not know anything about any higher level (Data Access Layer is indipendent (well, it depends on DB and other persistence mechanism), Business Layer only depends on Data Access Layer interfaces, Presentation Layer only depends on Business Layer interfaces).

The problem is that just sounds wrong to me realize part of what I consider to be a business logic requirement in the presentation layer.

Btw, session expiring probably has to do too much with presentation logic since has to "listen" user inputs.

This reminds me of another pertinent question which I answered myself some time ago, but I'm going to ask this one too just to avoid any doubt: link to the question .

I'd like to hear some opinion in merit, mainly focused on good design practices.

Answer 1

As the requirement says

if the logged user is idle for more than 30 minutes, he has to be logged out.

So here inputs are key board or mouse activity. Of course this belongs to Presentation Layer.

In web application scenario, the Mouse/Keyboard activity (Utility) module trigger session time out.

We can use Observer/Listener pattern. If it is in java

http://www.vogella.com/articles/DesignPatternObserver/article.html will be helpful

Using httpsession listners we can pass this activity into Business Layer. That means you can call Business Layer functionality to do the clean up.

In desk top scenario, we can use Swing application where similar pattern can be used.

So the point is Presentation layer informs the other layers based on the input provided by the Utility Class.

Answer 2

It can even get more exciting. Different timeouts on different screens (maybe screens that show a video, so the timeout is put aside while the video is on). Different timeouts for different users (for some it should never timeout). Screens that are accessible without login-in first, yet the application should "timeout" and take back to the "main" screen.

I ended up registering the business layer application to "activity" in the presentation controls. Not a beautiful site. Would be happy to see a good solution.

Answer 3

Both.

Your business layer just needs to know that there has been some user activity -- it doesn't necessarily need to know what that activity is or how that activity was triggered (or even where it came from).

public class Session {
    ...
    public static void keepAlive() {
        // update last activity fields with new timestamp
    }
    ....
}

Whenever your presentation layer receives input of some sort (mouse movements, mouse clicks, key presses, and so on), it's up to the objects in that layer to notify the business layer that something has happened.

To keep things separated, you'll probably want to add some events to your Session object.

public interface SessionExpiringEventHandler {
    void sessionExpiring();
}

public interface SessionExpiredEventHandler {
    void sessionExpired();
}

public class Session {
    ...
    private List<SessionExpiringEventHandler> expiringHandlers;
    private List<SessionExpiredEventHandler> expiredHandlers;
    ...
    public static void addExpiringEventHandler(SessionExpiringEventHandler h) {
        expiringHandlers.add(h);
    }
    public static void addExpiredEventHandler(SessionExpiredEventHandler h) {
        expiredHandlers.add(h);
    }
    ....
}

That way when the Session object expires (or is about to expire) the session, it can loop through all of its event handlers for the respective event and invoke them. This will let you keep your layers separate.