https://bz.apache.org/bugzilla/show_bug.cgi?id=68449
Bug ID: 68449 Summary: session.maxInactiveInterval() is not working for SSO Users. Product: Tomcat 9 Version: 9.0.83 Hardware: PC Status: NEW Severity: blocker Priority: P2 Component: Catalina Assignee: dev@tomcat.apache.org Reporter: jarka...@gmail.com Target Milestone: ----- I am facing issues with setting a User session duration to an arbitrary value. The exact issue is that even if I set the value to as much as 30 minutes the session timesout withiin 2 minutes. Was facing this issue for all Users. Chanced upon https://bz.apache.org/bugzilla/show_bug.cgi?id=67793 and opted to upgrade to Tomcat 9.0.83 The update to Tomcat 9.83 resolved this issue for users except SSO enabled Users. My default session timeout value is set to 30 in web.xml, so - <session-timeout>30</session-timeout> I understand, this should set the timeout interval to 30 minutes and would be applicable across all user sessions. Attempting to use - session.setMaxInactiveInterval(300) to change a particular User session duration to 5 mins. <Question>Has this been deprecated and should I be moving this to context.setMaxInactiveInterval(), instead?</Question> The issue I face is that the value set through setMaxInactiveInterval() does not have appear to have any effect. <Question>Remember reading that the timeout value will be defaulted to the value in web.xml, every 2 or 5 minutes (by a Tomcat process?). Is this correct?</Question> On checking localhost_access_log I do not find any requests hitting Tomcat server. But for some reason the timeouts just do not work. What I mean by that is even if the User sets the value to 30 minutes, Tomcat sesion timesout in 2 minutes. I repeat right now the issue is for SSO enabled Users and I have set up the below to this purpose - <Host appBase="webapps" autoDeploy="true" name="localhost" unpackWARs="true"> ... <Valve className="SingleSignOn"/> ... </Host> SSO authentication works correctly and SingleSignOn.invoke() is also executed without any error. I am invoking session.etMaxInactiveInterval (seconds) from inside invoke() and I see that this piece of code is being executed as well. This happens ever since I moved from Tomcat 9.0.64 to (9.0.76 & 9.0.82 & 9.0.83) I am left without any idea where/what to look for now. Kindly advise. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org