We have a site where the user gets a navigation bar to allow navigation of search results.
When the user goes away for lunch or whatever, and the session times out, clicking next in the navigation which is still on the screen will show the next page, but will then lose the navigation since it was stored in the now stale session. This confused people no end.
The solution we came up with, was to create a new session, return the user to the start of the results and show them a message that they were visiting us without a session and that we had sent them back to the start.
Now we are getting complaints from people who come from an external link directly to a page. Since we currently do not see the difference between a stale session and a non-existent session, we show the message to everybody without a (valid) session.
How can we reliably detect the visitor who never had a session/deliberately had deleted their session cookie versus the visitor who left for while and came back after session time-out?
If you are doing session validation in your code, then somebody who is coming directly through a link to your page, will not have session attribute in request header or wherever you are storing the session parameter. In case this is not done, then for all clients which make a create a session with your server, send a parameter. Make this parameter flow through every request. Existence of such parameter will ensure if somebody is coming from stale session or without any session at all.
Check getHeader method from HttpServletRequest class. This will help you check if a given header exists or not.