Thanks Guys,
I'll do this afternoon using OFBIZ-6655
Jacques
Le 11/01/2019 à 07:03, Deepak Nigam a écrit :
Thanks, Jacques and Girish.
Yes, it makes sense to get back to web.xml for the session timeout value.
On Fri, Jan 11, 2019 at 11:13 AM Girish Vasmatkar <
girish.vasmat...@hotwaxsystems.com> wrote:
Hi Jacques
Yes, we should put back the session timeout declaration in web.xml. Given
the fact that we can always mix web.xml and Annotation based configuration,
it only makes sense to let web.xml decide the session timeout and even if
we have the session listener (via web.xml declaration or Annotation), we
should not programatically try to override the setting.
Thanks and Regards,
Girish
On Thu, Jan 10, 2019 at 7:14 PM Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:
Hi Deepak, Girish,
I had a look at the issue. The specifications of Java Servlet
Specification 3.0 don't include an annotation to change the session time
out.
https://www.baeldung.com/servlet-session-timeout
https://stackoverflow.com/questions/20389833/session-timeout-config-with-no-web-xml-file
I think the best solution is to put back what we had before, ie set it to
a value (it was 1 hour before) in all web.xml file and remove the
session.setMaxInactiveInterval(60*60); //in seconds
line in ControlEventListener::sessionCreated
I thought about keeping this line if a check to null for the session
timeout value (from web.xml) was positive.
But by default Tomcat sets it to 30 min (so it's never null) and it's
possible but hard to change in OFBiz (eg to a known specific
extraordinary
value
that could be checked instead of null as above)
So it could be confusing and anyway best practice is to prefer convention
over configuration, even if in this case it's much redundant.
I think we can reopen OFBIZ-6655 and handle it there, with an
explanation.
Other ideas?
Jacques
Le 09/01/2019 à 10:11, Girish Vasmatkar a écrit :
Hi Deepak
By the time sessionCreated is called in an HttpSessionListener, the
session
has already been created. I am sure if you try to get the HttpSession
from
the HttpSessionEvent object, it will have what you defined in
<session-timeout> tag.
But the code is overriding the timeout using setMaxInactiveInterval to
1
hour that is why it is looking like web.xml is not being given
precedence over programmatic session configuration.
Whether web.xml takes precedence over annotation does not apply in this
case because anyway the session timeout value is being overridden by
the
code. The tomcat container definitely reads session-timeout from
web.xml
and assigns timeout for the session accordingly. But since a listener
is
configured for session lifecycle management, it invokes the method and
there the session value is being overridden.
Try to set 2 minutes session timeout in web.xml and remove
session.setMaxInactiveInterval(60*60).
I would say you will be logged out after 2 minutes. If that is not the
case, pl let me know.
I hope I understood your question and problem correctly.
Best,
Girish
On Wed, Jan 9, 2019 at 1:53 PM Deepak Nigam <
deepak.nigam1...@gmail.com>
wrote:
Thanks, Jacques.
Apart from the hardcoded thing, I am not able to override the session
timeout value using <session-timeout> tag in web.xml.
On Tue, Jan 8, 2019 at 1:55 PM Jacques Le Roux <
jacques.le.r...@les7arts.com>
wrote:
Hi Deepak,
You are right, it's hardcoded and should not. I have no time to go
further
at the moment, but I'll ASAP
Thanks
Jacques
Le 08/01/2019 à 06:10, Deepak Nigam a écrit :
Hello all,
I tried to set the session timeout for the 'ecommerce' and the
'webtools' components using <session-config> of web.xml, but unable
to
do
so. Session for the logged-in user remains active even after the set
time.
On further research, I found that we did some changes in this area
in
the
ticket OFBIZ-6655 <https://issues.apache.org/jira/browse/OFBIZ-6655
.
We
have hard coded the session timeout (1 hr) in the sessionCreated()
method
of ControlEventListner class. As per the comments in the Jira
ticket,
session timeout declarations in web.xml have been removed by the use
of @WebListner annotation. This is to avoid duplicates things
everywhere
in
web.xml files. Since the web.xml files have precedence on
annotations,
the
setting can be easily overridden when necessary.
But the @WebListner is missing in the ControlEventListner class.
Also,
I
am
unable to override the session timeout in web.xml even after putting
the
@WebListner annotation in ControlEventListner class.
Please let me know if this is a real issue or I am doing something
wrong?
Thanks & Regards
--
Deepak Nigam
HotWax Systems Pvt. Ltd.
