Tomcat behind IIS -> Session timeout is ignored
Hello list, I have a problem with a tomcat 5.0.28 installation connected to IIS 6.0 (Windows 2003 server) with isapi_redirect.dll Everything is working well, except for the session timeout. The timeout is set to 60 minutes in the context's web.xml file (60) which works great in many other installations (without IIS, though) As far as I could tell, the sessions are purely managed by tomcat, so IIS should not pose a problem, but still... Can anyone shed some light on this? Thanks, Tobias - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Session timeout issues
On 15/09/05, Leon Rosenberg <[EMAIL PROTECTED]> wrote: > Hi, > > I don't know if this fits, but could it be, that your problem is > related to the tomcat session synchronization bug? > > http://issues.apache.org/bugzilla/show_bug.cgi?id=36541 > That does look like a potential issue. However, I think I may have tracked this down to cookies and switching between HTTP and HTTPS. There are two scenarios: 1) User starts at an HTTP page and is given a cookie. This cookie can be used in secure and non secure requests. 2) User starts at an HTTPS page and is given a cookie. This cookie is only valid for secure requests (because it has Set-Cookie: ;Secure in the response header). When a user is redirected to an HTTP page they are given a *new* cookie and a new HttpSession is created on the server. Can you tell me the exact semantics of the secure attribute on the element? The documentation just says "Set this attribute to true if you wish to have calls to request.isSecure() to return true for requests received" Thanks James Shaw > > On 9/15/05, James Shaw <[EMAIL PROTECTED]> wrote: > > On 14/09/05, James Shaw <[EMAIL PROTECTED]> wrote: > > > I have two issues relating to sessions: > > > > > > 1) Sessions seem to be expired too soon. This happens very > > > infrequently for me (perhaps 1 in 1000 requests). I'm adding some > > > HttpSessionListeners and HttpSessionAttributeListeners to attempt to > > > locate this problem, but have little to go on at the moment. > > > > > I have some more info on this problem. During the login process, the > > original JSESSIONID that tomcat gives to the browser is being lost and > > a new HttpSession with a new id is being created. So either the > > browser is not sending the cookie containing the session id, or Tomcat > > is somehow losing the id. > > > > Does anyone have an idea what this problem could be? Perhaps you > > could point me to some information about how Tomcat receives cookies > > and maps these to their respective HttpSession objects. > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Session timeout issues
On 14/09/05, James Shaw <[EMAIL PROTECTED]> wrote: > I have two issues relating to sessions: > > 1) Sessions seem to be expired too soon. This happens very > infrequently for me (perhaps 1 in 1000 requests). I'm adding some > HttpSessionListeners and HttpSessionAttributeListeners to attempt to > locate this problem, but have little to go on at the moment. > I have some more info on this problem. During the login process, the original JSESSIONID that tomcat gives to the browser is being lost and a new HttpSession with a new id is being created. So either the browser is not sending the cookie containing the session id, or Tomcat is somehow losing the id. Does anyone have an idea what this problem could be? Perhaps you could point me to some information about how Tomcat receives cookies and maps these to their respective HttpSession objects. Thanks James Shaw - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Session timeout issues
I have two issues relating to sessions: 1) Sessions seem to be expired too soon. This happens very infrequently for me (perhaps 1 in 1000 requests). I'm adding some HttpSessionListeners and HttpSessionAttributeListeners to attempt to locate this problem, but have little to go on at the moment. 2) Session objects are being expired too late. Some session objects are persisting for far longer than the 30 minutes I've specified in web.xml. I've checked this with an HttpSessionListener today, for example: Timestamp: Wed Sep 14 12:26:21 BST 2005 ID:C945C8BC10E58E3947A5475C001DBA35 Last Accessed: Wed Sep 14 11:35:43 BST 2005 Backtrace: at presentation.listener.DebugSessionListener.sessionDestroyed(DebugSessionListener.java:54) at org.apache.catalina.session.StandardSession.expire(StandardSession.java:675) at org.apache.catalina.session.StandardSession.isValid(StandardSession.java:567) at org.apache.catalina.session.ManagerBase.processExpires(ManagerBase.java:655) at org.apache.catalina.session.ManagerBase.backgroundProcess(ManagerBase.java:640) at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1283) at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1568) at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1577) at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1577) at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1557) at java.lang.Thread.run(Unknown Source) I realise that this isn't enough information to really diagnose the problem but I'm hoping that you may be able to give me some suggestions for what to do next. Thanks in advance James Shaw - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
session timeout problems
Hello, within my web application i defined a session timeout of 30 minutes. But some sessions strangly survive this timeout and keep being valid until an explicit call to invalidate(). I already implemented a HttpSessionListener to keep track of session creation, destruction, lastAccessedTime and MaxInactiveInterval. So i recieve a HttpSessionEvent for every session being created or destroyed. I recognized that i never got a call to sessionDestroyed(HttpSessionEvent) for those strange timeout survivers. I am quite lost and have no idea how to solve this situation. Any suggestions ? Greets, Joerg - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How do you set the session timeout in tomcat so that the session only timeouts when the browser is closed?
On 6/7/05, Harland, David <[EMAIL PROTECTED]> wrote: > How do you set the session timeout in tomcat so that the session only > timeouts when the browser is closed? > Possible solution may be to refresh the page frequently and set a short interval for session time out. You might use a frame for this. If you use the AJAX approach to develop web applications it will be easy. I hadnt seen GMail session expired. -- rgds Anto Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How do you set the session timeout in tomcat so that the session only timeouts when the browser is closed?
> From: Harland, David [mailto:[EMAIL PROTECTED] > How do you set the session timeout in tomcat so that the session only > timeouts when the browser is closed? You don't. There is no way in any Web architecture of reliably detecting whether a browser has closed, or whether it has merely disconnected from the server for now and will be reconnecting later. This is a generic problem with any stateful browser-based application and is not specific to Tomcat. - Peter - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
How do you set the session timeout in tomcat so that the session only timeouts when the browser is closed?
How do you set the session timeout in tomcat so that the session only timeouts when the browser is closed? This e mail is from DLA Piper Rudnick Gray Cary UK LLP. The contents of this email and any attachments are confidential to the intended recipient. They may not be disclosed to or used by or copied in any way by anyone other than the intended recipient. If this email is received in error, please contact DLA Piper Rudnick Gray Cary UK LLP on +44 (0) 8700 11 quoting the name of the sender and the email address to which it has been sent and then delete it. Please note that neither DLA Piper Rudnick Gray Cary UK LLP nor the sender accept any responsibility for viruses and it is your responsibility to scan or otherwise check this email and any attachments. DLA Piper Rudnick Gray Cary UK LLP is a limited liability partnership registered in England and Wales (registered number OC307847) which provides services from offices in England, Belgium, Germany and the People's Republic of China. A list of members is open for inspection at its registered office and principal place of business 3 Noble Street, London EC2V 7EE. Partner denotes member of a limited liability partnership. DLA Piper Rudnick Gray Cary UK LLP is regulated by the Law Society and is a member of DLA Piper Rudnick Gray Cary, a global legal services organisation, the members of which are separate and distinct legal entities. For further information, please refer to www.dlapiper.com.
Re: delete temporary content after session timeout
Let's see...
(1) You are correct, it's nothing more than an entry in web.xml.
Remember, this isn't a Tomcat-specific thing, it's a J2EE thing (servlet
spec specifically I think), so it's YOUR APP'S web.xml. The entry is
simply:
com.company.app.MySessionListener
Assuming that class is available to the classloader, your all set.
(2) I'm not too familiar with the Spring framework, but since it's still
built on top of the servlet spec, this would apply just the same, it
should be independant of app server and framework in use. Spring may
have it's own mechanism for doing this, but given the choice I'd chose
the standard approach, which is a listener.
(3) I don't have any good references handy, but just Googling
SessionListener will turn up plenty of hits. Just to save you some
time, here's the basic structure of a SessionListener class:
package com.company.app.MySessionListener
import javax.servlet.http.HttpSession;
import javax.servlet.http.HttpSessionEvent;
public class MySessionListener implements HttpSessionListener {
/**
* This method is called by the servlet container just after http
session is
* created.
*
* @param event HttpSessionEvent
*/
public void sessionCreated(HttpSessionEvent event) {
}
/**
* This method is called by the servlet container just before http
session is
* destroyed.
*
* @param event HttpSessionEvent
*/
public void sessionDestroyed(HttpSessionEvent event) {
}
}
Couldn't be simpler! You can do event.getSession() in both if you need
to do anything with the session (like, for the OP, if you have a
reference to the user ID who's directory you want to purge of temporary
files).
--
Frank W. Zammetti
Founder and Chief Software Architect
Omnytex Technologies
http://www.omnytex.com
Tim Diggins wrote:
that sounds very useful, not something I've done before -- can I ask a
few questions -
1) how does one bind that into Tomcat -- declare a session listener in
(I presume) web.xml?
2) as I'm using Spring Framework, is this still relevant (or is there a
spring-specific way of binding in a session listener --- sorry, ought to
ask that on a spring list...)
3) can you recommend the best reference material / sites on managing
sessions (standard tomcat docs seem to have nothing on sessions I can
find.)
Tim
Frank W. Zammetti wrote:
Write a SessionListener... it has two methods, one that fires when a
session is created, one when it is destroyed. That should do the
trick for you. That's not a Tomcat-specific solution either, so it
should be rather portable should you ever need to move to another app
server.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: delete temporary content after session timeout
that sounds very useful, not something I've done before -- can I ask a few questions - 1) how does one bind that into Tomcat -- declare a session listener in (I presume) web.xml? 2) as I'm using Spring Framework, is this still relevant (or is there a spring-specific way of binding in a session listener --- sorry, ought to ask that on a spring list...) 3) can you recommend the best reference material / sites on managing sessions (standard tomcat docs seem to have nothing on sessions I can find.) Tim Frank W. Zammetti wrote: Write a SessionListener... it has two methods, one that fires when a session is created, one when it is destroyed. That should do the trick for you. That's not a Tomcat-specific solution either, so it should be rather portable should you ever need to move to another app server. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: delete temporary content after session timeout
Write a SessionListener... it has two methods, one that fires when a session is created, one when it is destroyed. That should do the trick for you. That's not a Tomcat-specific solution either, so it should be rather portable should you ever need to move to another app server. -- Frank W. Zammetti Founder and Chief Software Architect Omnytex Technologies http://www.omnytex.com Bob Wobbler wrote: Hi, I have an app that uploads user files in a temporary folder. I want to delete them when the session ends. I know I could solve this with a cron-job, but I'm looking for a way to solve it with Tomcat. Does anyone have an idea how to solve it? Thx for your help in advance, cheers, Robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] . - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
delete temporary content after session timeout
Hi, I have an app that uploads user files in a temporary folder. I want to delete them when the session ends. I know I could solve this with a cron-job, but I'm looking for a way to solve it with Tomcat. Does anyone have an idea how to solve it? Thx for your help in advance, cheers, Robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Way to specify SingleSignOn session timeout?
On 4/14/05, Jonathan Eric Miller <[EMAIL PROTECTED]> wrote: > After looking at the code, it looks like the SSO session doesn't go away > until all other sessions for the user have expired. So, as far as I can > tell, the SSO session doesn't have it's own session timeout as far as I can > tell. Indeed. OTOH, if one of the sessions is explicitely invalidated, the SSO will go away right away. I think that's the most appropriate behavior, but changing it is very easy using a little code hacking. -- x Rémy Maucherat Developer & Consultant JBoss Group (Europe) SàRL x - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Way to specify SingleSignOn session timeout?
After looking at the code, it looks like the SSO session doesn't go away until all other sessions for the user have expired. So, as far as I can tell, the SSO session doesn't have it's own session timeout as far as I can tell. Jon - Original Message - From: "Jonathan Eric Miller" <[EMAIL PROTECTED]> To: "Tomcat Users List" Sent: Wednesday, April 13, 2005 11:00 AM Subject: Re: Way to specify SingleSignOn session timeout? Thanks, but, I know how to set it for a given application. I want to know how to set it or at least find out what the default value is for the global session. I've noticed that there are two cookies. One is JSESSIONID which is for the application session. The other is JSESSIONSSO is is presumably for the global session. Jon - Original Message - From: "Peter Rossbach" <[EMAIL PROTECTED]> To: "Tomcat Users List" Sent: Tuesday, April 12, 2005 10:56 PM Subject: Re: Way to specify SingleSignOn session timeout? Look inside conf/web.xml 30 Peter Jonathan Eric Miller schrieb: I'm using the SingleSignOn valve with Tomcat 5.5.9. Does anyone know what the default session timeout is set to? Is there a way to specify this timeout? I'm finding that sometimes my session will timeout within an application, but, it doesn't redisplay the login page. I want to try to set it up so that the session timeout period is the same for all my applications (and the same for the global one) and that whenever the session times out, the login page is displayed. Jon - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Way to specify SingleSignOn session timeout?
After looking at the code, it looks like the SSO session doesn't go away until all other sessions for the user have expired. So, as far as I can tell, the SSO session doesn't have it's own session timeout as far as I can tell. Jon - Original Message - From: "Jonathan Eric Miller" <[EMAIL PROTECTED]> To: "Tomcat Users List" Sent: Wednesday, April 13, 2005 11:00 AM Subject: Re: Way to specify SingleSignOn session timeout? Thanks, but, I know how to set it for a given application. I want to know how to set it or at least find out what the default value is for the global session. I've noticed that there are two cookies. One is JSESSIONID which is for the application session. The other is JSESSIONSSO is is presumably for the global session. Jon - Original Message - From: "Peter Rossbach" <[EMAIL PROTECTED]> To: "Tomcat Users List" Sent: Tuesday, April 12, 2005 10:56 PM Subject: Re: Way to specify SingleSignOn session timeout? Look inside conf/web.xml 30 Peter Jonathan Eric Miller schrieb: I'm using the SingleSignOn valve with Tomcat 5.5.9. Does anyone know what the default session timeout is set to? Is there a way to specify this timeout? I'm finding that sometimes my session will timeout within an application, but, it doesn't redisplay the login page. I want to try to set it up so that the session timeout period is the same for all my applications (and the same for the global one) and that whenever the session times out, the login page is displayed. Jon - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: session-timeout
thank you !! Jay Burgess wrote: Think of the timeout as a 30 minute countdown timer. Every time there is any session activity, like a page request, the timers starts over. If the timer ever gets to 0, then the session times out. Jay Vertical Technology Group http://www.vtgroup.com/ -Original Message- From: Tim Funk [mailto:[EMAIL PROTECTED] Sent: Thursday, April 14, 2005 10:13 AM To: Tomcat Users List Subject: Re: session-timeout If more than idle for 30 minutes. -Tim Cédric Buschini wrote: Hi every, from web.xml: 30 Does the session-timeout refer to an idle session or an "active" session ? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: session-timeout
Think of the timeout as a 30 minute countdown timer. Every time there is any session activity, like a page request, the timers starts over. If the timer ever gets to 0, then the session times out. Jay Vertical Technology Group http://www.vtgroup.com/ -Original Message- From: Tim Funk [mailto:[EMAIL PROTECTED] Sent: Thursday, April 14, 2005 10:13 AM To: Tomcat Users List Subject: Re: session-timeout If more than idle for 30 minutes. -Tim Cédric Buschini wrote: > Hi every, > > from web.xml: > >30 > > > Does the session-timeout refer to an idle session or an "active" session ? > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: session-timeout
If more than idle for 30 minutes. -Tim Cédric Buschini wrote: Hi every, from web.xml: 30 Does the session-timeout refer to an idle session or an "active" session ? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
session-timeout
Hi every, from web.xml: 30 Does the session-timeout refer to an idle session or an "active" session ? Thk in advance Cedric - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Running code on session timeout
Java Server Pages, 3rd Edition, O'Reilly - great book. I can send you an example later tonight. - Original Message - From: Chris Bender <[EMAIL PROTECTED]> Date: Wednesday, April 13, 2005 10:26 am Subject: Running code on session timeout > Hey, > > I have been looking all over for a way to run code on a session > time out. Basically, before a session times out, I need to > perform some functionality on the data in that session. Ive read > about Session Manager and Session Listeners, but I have not been > able to find any examples of how these work. > > Is it possible to do what I am asking, and if so, does anyone know > of a good reference site? > > > Thanks > > > > --- > -- > This transmission (including any attachments) may contain > confidential information, privileged material (including material > protected by the solicitor-client or other applicable privileges), > or constitute non-public information. Any use of this information > by anyone other than the intended recipient is prohibited. If you > have received this transmission in error, please immediately reply > to the sender and delete this information from your system. Use, > dissemination, distribution, or reproduction of this transmission > by unintended recipients is not authorized and may be unlawful. > > --- > -- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Running code on session timeout
Hey, I have been looking all over for a way to run code on a session time out. Basically, before a session times out, I need to perform some functionality on the data in that session. Ive read about Session Manager and Session Listeners, but I have not been able to find any examples of how these work. Is it possible to do what I am asking, and if so, does anyone know of a good reference site? Thanks - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Way to specify SingleSignOn session timeout?
Thanks, but, I know how to set it for a given application. I want to know how to set it or at least find out what the default value is for the global session. I've noticed that there are two cookies. One is JSESSIONID which is for the application session. The other is JSESSIONSSO is is presumably for the global session. Jon - Original Message - From: "Peter Rossbach" <[EMAIL PROTECTED]> To: "Tomcat Users List" Sent: Tuesday, April 12, 2005 10:56 PM Subject: Re: Way to specify SingleSignOn session timeout? Look inside conf/web.xml 30 Peter Jonathan Eric Miller schrieb: I'm using the SingleSignOn valve with Tomcat 5.5.9. Does anyone know what the default session timeout is set to? Is there a way to specify this timeout? I'm finding that sometimes my session will timeout within an application, but, it doesn't redisplay the login page. I want to try to set it up so that the session timeout period is the same for all my applications (and the same for the global one) and that whenever the session times out, the login page is displayed. Jon - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Way to specify SingleSignOn session timeout?
Look inside conf/web.xml 30 Peter Jonathan Eric Miller schrieb: I'm using the SingleSignOn valve with Tomcat 5.5.9. Does anyone know what the default session timeout is set to? Is there a way to specify this timeout? I'm finding that sometimes my session will timeout within an application, but, it doesn't redisplay the login page. I want to try to set it up so that the session timeout period is the same for all my applications (and the same for the global one) and that whenever the session times out, the login page is displayed. Jon - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Way to specify SingleSignOn session timeout?
I'm using the SingleSignOn valve with Tomcat 5.5.9. Does anyone know what the default session timeout is set to? Is there a way to specify this timeout? I'm finding that sometimes my session will timeout within an application, but, it doesn't redisplay the login page. I want to try to set it up so that the session timeout period is the same for all my applications (and the same for the global one) and that whenever the session times out, the login page is displayed. Jon - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Unlimited session timeout
It is not my problem. I need to change it for only one servlet.
Thanks.
fed fin wrote:
you can set timeout from Tomcat Admin => Connections.
--- David Causse <[EMAIL PROTECTED]> wrote:
Hi,
I need in some exceptionnal condition to disable the
session timeout for
one request.
Is there some convenient way to do so?
My idea is to do this but I'm unsure :
In the exceptionnal servlet (at the beginning):
session.setAttribute("OLD_TIMEOUT", new
Integer(session.getMaxInactiveInterval()));
session.setMaxInactiveInterval(-1);
In my filter:
Integer oldTimeout = (Integer)
session.getAttribute("OLD_TIMEOUT");
if(oldTimeout != null) {
session.setMaxInactiveInterval(oldTimeout.intValue());
}
What do you think about this method is it
safe/working?
Maybe there is a way to do it with session listeners
(by cancelling the
call to invalidate, I don't know if it is possible).
Thank you.
David.
-
To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]
-Ted
__
Yahoo! Messenger
Show us what our next emoticon should look like. Join the fun.
http://www.advision.webevents.yahoo.com/emoticontest
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Unlimited session timeout
you can set timeout from Tomcat Admin => Connections.
--- David Causse <[EMAIL PROTECTED]> wrote:
> Hi,
>
> I need in some exceptionnal condition to disable the
> session timeout for
> one request.
> Is there some convenient way to do so?
>
> My idea is to do this but I'm unsure :
> In the exceptionnal servlet (at the beginning):
> session.setAttribute("OLD_TIMEOUT", new
> Integer(session.getMaxInactiveInterval()));
> session.setMaxInactiveInterval(-1);
>
> In my filter:
> Integer oldTimeout = (Integer)
> session.getAttribute("OLD_TIMEOUT");
> if(oldTimeout != null) {
>
>
session.setMaxInactiveInterval(oldTimeout.intValue());
> }
>
> What do you think about this method is it
> safe/working?
> Maybe there is a way to do it with session listeners
> (by cancelling the
> call to invalidate, I don't know if it is possible).
>
> Thank you.
>
> David.
>
>
>
-
> To unsubscribe, e-mail:
> [EMAIL PROTECTED]
> For additional commands, e-mail:
> [EMAIL PROTECTED]
>
>
-Ted
__
Yahoo! Messenger
Show us what our next emoticon should look like. Join the fun.
http://www.advision.webevents.yahoo.com/emoticontest
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Unlimited session timeout
Hi,
I need in some exceptionnal condition to disable the session timeout for
one request.
Is there some convenient way to do so?
My idea is to do this but I'm unsure :
In the exceptionnal servlet (at the beginning):
session.setAttribute("OLD_TIMEOUT", new
Integer(session.getMaxInactiveInterval()));
session.setMaxInactiveInterval(-1);
In my filter:
Integer oldTimeout = (Integer) session.getAttribute("OLD_TIMEOUT");
if(oldTimeout != null) {
session.setMaxInactiveInterval(oldTimeout.intValue());
}
What do you think about this method is it safe/working?
Maybe there is a way to do it with session listeners (by cancelling the
call to invalidate, I don't know if it is possible).
Thank you.
David.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: Edit session timeout
Thanks Everybody! =) -Original Message- From: Parsons Technical Services [mailto:[EMAIL PROTECTED] Sent: Monday, January 31, 2005 12:56 PM To: Tomcat Users List Subject: Re: Edit session timeout Yes. Doug - Original Message - From: "Aris Javier" <[EMAIL PROTECTED]> To: "Tomcat Users List" Sent: Sunday, January 30, 2005 11:53 PM Subject: RE: Edit session timeout Thanks Drew! I found it.. =) can I also use this setting per web app? by editing web.xml per web app? -Original Message- From: Drew Jorgenson [mailto:[EMAIL PROTECTED] Sent: Monday, January 31, 2005 12:41 PM To: Tomcat Users List Subject: RE: Edit session timeout 120 Look, at the web.xml file inside the conf directory, the global web.xml file that is. You can usually find this right above the mime-type mapping definitions. Drew. On Sun, 2005-01-30 at 20:28, Aris Javier wrote: > I looked at my web.xml, and no sessionTimeout found there... > can you give me an example on how to write it down in web.xml? > > thanks! > aris > > -Original Message- > From: Wendy Smoak [mailto:[EMAIL PROTECTED] > Sent: Monday, January 31, 2005 12:25 PM > To: Tomcat Users List > Subject: Re: Edit session timeout > > From: "Aris Javier" <[EMAIL PROTECTED]> > > How to edit session timeout? Tomcat's default value is 30mins... > > Look in web.xml instead of server.xml. You can change it for the > entire container, or on a per-webapp basis, depending on which web.xml > you edit. > (Works for Tomcat 4.1, I haven't moved to 5 yet...) > > -- > Wendy Smoak > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Edit session timeout
Yes. Doug - Original Message - From: "Aris Javier" <[EMAIL PROTECTED]> To: "Tomcat Users List" Sent: Sunday, January 30, 2005 11:53 PM Subject: RE: Edit session timeout Thanks Drew! I found it.. =) can I also use this setting per web app? by editing web.xml per web app? -Original Message- From: Drew Jorgenson [mailto:[EMAIL PROTECTED] Sent: Monday, January 31, 2005 12:41 PM To: Tomcat Users List Subject: RE: Edit session timeout 120 Look, at the web.xml file inside the conf directory, the global web.xml file that is. You can usually find this right above the mime-type mapping definitions. Drew. On Sun, 2005-01-30 at 20:28, Aris Javier wrote: I looked at my web.xml, and no sessionTimeout found there... can you give me an example on how to write it down in web.xml? thanks! aris -Original Message- From: Wendy Smoak [mailto:[EMAIL PROTECTED] Sent: Monday, January 31, 2005 12:25 PM To: Tomcat Users List Subject: Re: Edit session timeout From: "Aris Javier" <[EMAIL PROTECTED]> > How to edit session timeout? Tomcat's default value is 30mins... Look in web.xml instead of server.xml. You can change it for the entire container, or on a per-webapp basis, depending on which web.xml you edit. (Works for Tomcat 4.1, I haven't moved to 5 yet...) -- Wendy Smoak - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Edit session timeout
Thanks Drew! I found it.. =) can I also use this setting per web app? by editing web.xml per web app? -Original Message- From: Drew Jorgenson [mailto:[EMAIL PROTECTED] Sent: Monday, January 31, 2005 12:41 PM To: Tomcat Users List Subject: RE: Edit session timeout 120 Look, at the web.xml file inside the conf directory, the global web.xml file that is. You can usually find this right above the mime-type mapping definitions. Drew. On Sun, 2005-01-30 at 20:28, Aris Javier wrote: > I looked at my web.xml, and no sessionTimeout found there... > can you give me an example on how to write it down in web.xml? > > thanks! > aris > > -Original Message- > From: Wendy Smoak [mailto:[EMAIL PROTECTED] > Sent: Monday, January 31, 2005 12:25 PM > To: Tomcat Users List > Subject: Re: Edit session timeout > > From: "Aris Javier" <[EMAIL PROTECTED]> > > How to edit session timeout? Tomcat's default value is 30mins... > > Look in web.xml instead of server.xml. You can change it for the > entire container, or on a per-webapp basis, depending on which web.xml > you edit. > (Works for Tomcat 4.1, I haven't moved to 5 yet...) > > -- > Wendy Smoak > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Edit session timeout
120 Look, at the web.xml file inside the conf directory, the global web.xml file that is. You can usually find this right above the mime-type mapping definitions. Drew. On Sun, 2005-01-30 at 20:28, Aris Javier wrote: > I looked at my web.xml, and no sessionTimeout found there... > can you give me an example on how to write it down in web.xml? > > thanks! > aris > > -Original Message- > From: Wendy Smoak [mailto:[EMAIL PROTECTED] > Sent: Monday, January 31, 2005 12:25 PM > To: Tomcat Users List > Subject: Re: Edit session timeout > > From: "Aris Javier" <[EMAIL PROTECTED]> > > How to edit session timeout? Tomcat's default value is 30mins... > > Look in web.xml instead of server.xml. You can change it for the entire > container, or on a per-webapp basis, depending on which web.xml you > edit. > (Works for Tomcat 4.1, I haven't moved to 5 yet...) > > -- > Wendy Smoak > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Edit session timeout
> From: Aris Javier [mailto:[EMAIL PROTECTED] > Subject: RE: Edit session timeout > > I looked at my web.xml, and no sessionTimeout found there... > can you give me an example on how to write it down in web.xml? Not sure what you meant by "my" web.xml, since, as Wendy noted, there's a global one in the conf directory, as well as one in the WEB-INF directory of each web app. The session timeout is usually in the global one, but can be overridden in each web app if needed. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Edit session timeout
I looked at my web.xml, and no sessionTimeout found there... can you give me an example on how to write it down in web.xml? thanks! aris -Original Message- From: Wendy Smoak [mailto:[EMAIL PROTECTED] Sent: Monday, January 31, 2005 12:25 PM To: Tomcat Users List Subject: Re: Edit session timeout From: "Aris Javier" <[EMAIL PROTECTED]> > How to edit session timeout? Tomcat's default value is 30mins... Look in web.xml instead of server.xml. You can change it for the entire container, or on a per-webapp basis, depending on which web.xml you edit. (Works for Tomcat 4.1, I haven't moved to 5 yet...) -- Wendy Smoak - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Edit session timeout
From: "Aris Javier" <[EMAIL PROTECTED]> How to edit session timeout? Tomcat's default value is 30mins... Look in web.xml instead of server.xml. You can change it for the entire container, or on a per-webapp basis, depending on which web.xml you edit. (Works for Tomcat 4.1, I haven't moved to 5 yet...) -- Wendy Smoak - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Edit session timeout
Hello! How to edit session timeout? Tomcat's default value is 30mins... 30 minutes of inactivity then a session will expire... In my apps, i think 30minutes is too long.. i want 5 minutes of inactivity before session expires... is it in server.xml? i only see connectionTimeout which is 2? is connectionTimeout the same with sessionTimeout? Thanks and regards, Aris <mailto:[EMAIL PROTECTED]>
Re: Session timeout
How about trying? Put this inside your in web.xml 10 The number within the session-timeout element must be expressed in minutes. Works for me with the StandardManager, in tomcat 5 Trond Freddy Villalba A. wrote: Hi everybody, Is it possible to configure the session timeout using the org.apache.catalina.session.StandardManager Session Manager or am I forced to use the Persistent Manager just for doing so? (Tomcat v4.1) Regards, F. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Session timeout
Hi everybody, Is it possible to configure the session timeout using the org.apache.catalina.session.StandardManager Session Manager or am I forced to use the Persistent Manager just for doing so? (Tomcat v4.1) Regards, F. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: RE: session-timeout means tomcat restart
Other points? I posted details when I solved this problem, last Friday, but I only now realized that someone changed the thread, a couple have, and my post is related to that thread. Perhaps you didn't see that. If you're wondering about event listeners, I have not implemented any as of yet. If you're still looking for other points then I'll need you to be specific. Also, in looking back at this thread I noticed you were the one who suggested creating a myapp.xml and where to put it. This was the suggestion I followed that finally solved my problem. Many thx for that! I still have yet to find a mention of this in TC 5.0 docs. Eric btw, I am required to manually put that myapp.xml at CATALINA_HOME/conf/Catalina/localhost/. I tried creating a META-INF, located at /myapp/ with a context.xml, but this did not result in a dynamic copy at CATALINA_HOME/conf/Catalina/localhost/. On Tue, 9 Nov 2004 00:51:09 -, Steve Kirk <[EMAIL PROTECTED]> wrote: > sorry but no. what about the other points. > > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > > Sent: Monday 08 November 2004 22:37 > > To: Tomcat Users List > > Subject: Re: RE: session-timeout means tomcat restart > > > > > > We had a 'hung, and won't work without a reboot problem' and it > > was two things - we had to update some driver for the intel > > NIC cards in our > > server (for RedHat ES) and had to change some settings to get > > better NIC > > throughput. > > > > Hope it helps. > > > > - Original Message - > > From: Steve Kirk <[EMAIL PROTECTED]> > > Date: Monday, November 8, 2004 4:19 pm > > Subject: RE: session-timeout means tomcat restart > > > > > Sorry for not replying sooner, I've been busy for a few days. > > > > > > Can you say more about the crashing? Any evidence from the logs? > > > A bit > > > difficult to be any more specific without more to go on really :) > > > > > > > However, I > > > > > have references to them from the controller so that shouldn't > > > be the > > > > > problem... eh? > > > > > > You mention "controller". Are you using TC as-is, or are you using a > > > framework such as struts or JSF by any chance? > > > > > > If you suspect that the problem is triggered by a closing session, > > > why not > > > try shortening the session timeout to a shorter length and see if > > > it crashes > > > quicker? In fact, it's worth checking whether the crash is around > > > the time > > > of the session expiry or not. If not, then your problem may not > > > be directly > > > caused by TC at all.? > > > > > > Do you have any event listeners? If you have one for > > > sessionDestroyed/sessionWillPassivate, what does this code do? > > > > > > > -Original Message- > > > > From: Eric Wulff [EMAIL PROTECTED] > > > > Sent: Saturday 06 November 2004 00:51 > > > > To: Steve Kirk > > > > Cc: Tomcat Users List > > > > Subject: Re: session-timeout means tomcat restart > > > > > > > > > > > > Well, this is amazingly frustrating. My TC 5.0.28 > > running on Linux > > > > FC2 is completely crashing about every half hr when I > > have a webapp > > > > open and don't interact with it. I no longer have a time-out > > > element> in my web.xml so that doesn't seem to matter. TC > > > shutdown and restart > > > > does not work. Instead, I'm required to hard boot my > > machine. I'm > > > > hung just trying to access the static welcome page of any app, > > > > although I do know that init() of the webapp I'm working > > on is being > > > > called. > > > > > > > > Eric > > > > > > > > > > > > On Fri, 5 Nov 2004 15:43:28 -0800, Eric Wulff > > > > <[EMAIL PROTECTED]> wrote: > > > > > Linux FC2 > > > > > TC 5.0.28 > > > > > > > > > > I'm not storing a db object within a session although I > > am storing > > > > > objs within the session(of course - session.setAttribute). > > > > However, I > > > > > have references to them from the controller so that shouldn't > > > be the > > > > > problem... eh? > > > > > > > > > >
RE: RE: session-timeout means tomcat restart
sorry but no. what about the other points. > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Monday 08 November 2004 22:37 > To: Tomcat Users List > Subject: Re: RE: session-timeout means tomcat restart > > > We had a 'hung, and won't work without a reboot problem' and it > was two things - we had to update some driver for the intel > NIC cards in our > server (for RedHat ES) and had to change some settings to get > better NIC > throughput. > > Hope it helps. > > - Original Message - > From: Steve Kirk <[EMAIL PROTECTED]> > Date: Monday, November 8, 2004 4:19 pm > Subject: RE: session-timeout means tomcat restart > > > Sorry for not replying sooner, I've been busy for a few days. > > > > Can you say more about the crashing? Any evidence from the logs? > > A bit > > difficult to be any more specific without more to go on really :) > > > > > However, I > > > > have references to them from the controller so that shouldn't > > be the > > > > problem... eh? > > > > You mention "controller". Are you using TC as-is, or are you using a > > framework such as struts or JSF by any chance? > > > > If you suspect that the problem is triggered by a closing session, > > why not > > try shortening the session timeout to a shorter length and see if > > it crashes > > quicker? In fact, it's worth checking whether the crash is around > > the time > > of the session expiry or not. If not, then your problem may not > > be directly > > caused by TC at all.? > > > > Do you have any event listeners? If you have one for > > sessionDestroyed/sessionWillPassivate, what does this code do? > > > > > -Original Message- > > > From: Eric Wulff [EMAIL PROTECTED] > > > Sent: Saturday 06 November 2004 00:51 > > > To: Steve Kirk > > > Cc: Tomcat Users List > > > Subject: Re: session-timeout means tomcat restart > > > > > > > > > Well, this is amazingly frustrating. My TC 5.0.28 > running on Linux > > > FC2 is completely crashing about every half hr when I > have a webapp > > > open and don't interact with it. I no longer have a time-out > > element> in my web.xml so that doesn't seem to matter. TC > > shutdown and restart > > > does not work. Instead, I'm required to hard boot my > machine. I'm > > > hung just trying to access the static welcome page of any app, > > > although I do know that init() of the webapp I'm working > on is being > > > called. > > > > > > Eric > > > > > > > > > On Fri, 5 Nov 2004 15:43:28 -0800, Eric Wulff > > > <[EMAIL PROTECTED]> wrote: > > > > Linux FC2 > > > > TC 5.0.28 > > > > > > > > I'm not storing a db object within a session although I > am storing > > > > objs within the session(of course - session.setAttribute). > > > However, I > > > > have references to them from the controller so that shouldn't > > be the > > > > problem... eh? > > > > > > > > An interesting thing, I sometimes have to reboot my > > > machine, not just > > > > restart TC. Although other apps run fine, I have to reboot > > > my machine > > > > in order to get TC up again. > > > > > > > > I optimized my db connection, I did have it in servlet init(). > > > > Although I knew I had to do this and I'm much better off > > > for it, and I > > > > appreciate you're noting it, but this didn't eliminate the > > crashing> > problem. > > > > > > > > I also am now taking advantage of a connection pool. > > > However, as you > > > > figured, that does not solve the crash problem. > > > > > > > > Finally, I removed the > > > element from > > > > myapp web.xml to test if this is the initiator of the problem. > > Let > > > > you know what I find. Still, even if this is what initiates the > > > > sequence leading to a crash, it shouldn't so something need be > > > > fixed/optimized. Any other ideas? > > > > > > > > Eric > > > > > > > > > > > > > > > > > > > > On Fri, 5 Nov 2004 13:03:27 -, Steve Kirk > > &g
Re: session-timeout means tomcat restart
Hi Steve, sorry for lack of details. In any case, problem solved. I am developing a webapp in the MVC style and was referring to the 'C' of the MVC when mentioning the "controller". I am using TC as-is however. There was a bug in a data source validity check upon login making it so the data source was not getting re-established if need be. Then it would just hang on login. Not sure why I was often required to hard boot but it's not longer a problem since I corrected the data source hook. Eric On Mon, 8 Nov 2004 22:19:27 -, Steve Kirk <[EMAIL PROTECTED]> wrote: > Sorry for not replying sooner, I've been busy for a few days. > > Can you say more about the crashing? Any evidence from the logs? A bit > difficult to be any more specific without more to go on really :) > > > However, I > > > have references to them from the controller so that shouldn't be the > > > problem... eh? > > You mention "controller". Are you using TC as-is, or are you using a > framework such as struts or JSF by any chance? > > If you suspect that the problem is triggered by a closing session, why not > try shortening the session timeout to a shorter length and see if it crashes > quicker? In fact, it's worth checking whether the crash is around the time > of the session expiry or not. If not, then your problem may not be directly > caused by TC at all.? > > Do you have any event listeners? If you have one for > sessionDestroyed/sessionWillPassivate, what does this code do? > > > > > -Original Message- > > From: Eric Wulff [mailto:[EMAIL PROTECTED] > > Sent: Saturday 06 November 2004 00:51 > > To: Steve Kirk > > Cc: Tomcat Users List > > Subject: Re: session-timeout means tomcat restart > > > > > > Well, this is amazingly frustrating. My TC 5.0.28 running on Linux > > FC2 is completely crashing about every half hr when I have a webapp > > open and don't interact with it. I no longer have a time-out element > > in my web.xml so that doesn't seem to matter. TC shutdown and restart > > does not work. Instead, I'm required to hard boot my machine. I'm > > hung just trying to access the static welcome page of any app, > > although I do know that init() of the webapp I'm working on is being > > called. > > > > Eric > > > > > > On Fri, 5 Nov 2004 15:43:28 -0800, Eric Wulff > > <[EMAIL PROTECTED]> wrote: > > > Linux FC2 > > > TC 5.0.28 > > > > > > I'm not storing a db object within a session although I am storing > > > objs within the session(of course - session.setAttribute). > > However, I > > > have references to them from the controller so that shouldn't be the > > > problem... eh? > > > > > > An interesting thing, I sometimes have to reboot my > > machine, not just > > > restart TC. Although other apps run fine, I have to reboot > > my machine > > > in order to get TC up again. > > > > > > I optimized my db connection, I did have it in servlet init(). > > > Although I knew I had to do this and I'm much better off > > for it, and I > > > appreciate you're noting it, but this didn't eliminate the crashing > > > problem. > > > > > > I also am now taking advantage of a connection pool. > > However, as you > > > figured, that does not solve the crash problem. > > > > > > Finally, I removed the > > element from > > > myapp web.xml to test if this is the initiator of the problem. Let > > > you know what I find. Still, even if this is what initiates the > > > sequence leading to a crash, it shouldn't so something need be > > > fixed/optimized. Any other ideas? > > > > > > Eric > > > > > > > > > > > > > > > On Fri, 5 Nov 2004 13:03:27 -, Steve Kirk > > > <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > > > > > > > > > > -Original Message- > > > > > From: Eric Wulff [mailto:[EMAIL PROTECTED] > > > > > Sent: Friday 05 November 2004 07:01 > > > > > To: Tomcat Users List > > > > > Subject: session-timeout means tomcat restart > > > > > > > > > > > > > > > Hi, I'm experiencing 2 interesting problems that may be > > related to my > > > > > session timeout. > > > > > > > > > > 1. It seems that when my sessio
Re: RE: session-timeout means tomcat restart
We had a 'hung, and won't work without a reboot problem' and it was two things - we had to update some driver for the intel NIC cards in our server (for RedHat ES) and had to change some settings to get better NIC throughput. Hope it helps. - Original Message - From: Steve Kirk <[EMAIL PROTECTED]> Date: Monday, November 8, 2004 4:19 pm Subject: RE: session-timeout means tomcat restart > Sorry for not replying sooner, I've been busy for a few days. > > Can you say more about the crashing? Any evidence from the logs? > A bit > difficult to be any more specific without more to go on really :) > > > However, I > > > have references to them from the controller so that shouldn't > be the > > > problem... eh? > > You mention "controller". Are you using TC as-is, or are you using a > framework such as struts or JSF by any chance? > > If you suspect that the problem is triggered by a closing session, > why not > try shortening the session timeout to a shorter length and see if > it crashes > quicker? In fact, it's worth checking whether the crash is around > the time > of the session expiry or not. If not, then your problem may not > be directly > caused by TC at all.? > > Do you have any event listeners? If you have one for > sessionDestroyed/sessionWillPassivate, what does this code do? > > > -Original Message----- > > From: Eric Wulff [EMAIL PROTECTED] > > Sent: Saturday 06 November 2004 00:51 > > To: Steve Kirk > > Cc: Tomcat Users List > > Subject: Re: session-timeout means tomcat restart > > > > > > Well, this is amazingly frustrating. My TC 5.0.28 running on Linux > > FC2 is completely crashing about every half hr when I have a webapp > > open and don't interact with it. I no longer have a time-out > element> in my web.xml so that doesn't seem to matter. TC > shutdown and restart > > does not work. Instead, I'm required to hard boot my machine. I'm > > hung just trying to access the static welcome page of any app, > > although I do know that init() of the webapp I'm working on is being > > called. > > > > Eric > > > > > > On Fri, 5 Nov 2004 15:43:28 -0800, Eric Wulff > > <[EMAIL PROTECTED]> wrote: > > > Linux FC2 > > > TC 5.0.28 > > > > > > I'm not storing a db object within a session although I am storing > > > objs within the session(of course - session.setAttribute). > > However, I > > > have references to them from the controller so that shouldn't > be the > > > problem... eh? > > > > > > An interesting thing, I sometimes have to reboot my > > machine, not just > > > restart TC. Although other apps run fine, I have to reboot > > my machine > > > in order to get TC up again. > > > > > > I optimized my db connection, I did have it in servlet init(). > > > Although I knew I had to do this and I'm much better off > > for it, and I > > > appreciate you're noting it, but this didn't eliminate the > crashing> > problem. > > > > > > I also am now taking advantage of a connection pool. > > However, as you > > > figured, that does not solve the crash problem. > > > > > > Finally, I removed the > > element from > > > myapp web.xml to test if this is the initiator of the problem. > Let > > > you know what I find. Still, even if this is what initiates the > > > sequence leading to a crash, it shouldn't so something need be > > > fixed/optimized. Any other ideas? > > > > > > Eric > > > > > > > > > > > > > > > On Fri, 5 Nov 2004 13:03:27 -, Steve Kirk > > > <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > > > > > > > > > > -Original Message- > > > > > From: Eric Wulff [EMAIL PROTECTED] > > > > > Sent: Friday 05 November 2004 07:01 > > > > > To: Tomcat Users List > > > > > Subject: session-timeout means tomcat restart > > > > > > > > > > > > > > > Hi, I'm experiencing 2 interesting problems that may be > > related to my > > > > > session timeout. > > > > > > > > > > 1. It seems that when my session times out I need to > > restart tomcat, > > > > > often just the application via reload in the manager, > > in or
RE: session-timeout means tomcat restart
Sorry for not replying sooner, I've been busy for a few days. Can you say more about the crashing? Any evidence from the logs? A bit difficult to be any more specific without more to go on really :) > However, I > > have references to them from the controller so that shouldn't be the > > problem... eh? You mention "controller". Are you using TC as-is, or are you using a framework such as struts or JSF by any chance? If you suspect that the problem is triggered by a closing session, why not try shortening the session timeout to a shorter length and see if it crashes quicker? In fact, it's worth checking whether the crash is around the time of the session expiry or not. If not, then your problem may not be directly caused by TC at all.? Do you have any event listeners? If you have one for sessionDestroyed/sessionWillPassivate, what does this code do? > -Original Message- > From: Eric Wulff [mailto:[EMAIL PROTECTED] > Sent: Saturday 06 November 2004 00:51 > To: Steve Kirk > Cc: Tomcat Users List > Subject: Re: session-timeout means tomcat restart > > > Well, this is amazingly frustrating. My TC 5.0.28 running on Linux > FC2 is completely crashing about every half hr when I have a webapp > open and don't interact with it. I no longer have a time-out element > in my web.xml so that doesn't seem to matter. TC shutdown and restart > does not work. Instead, I'm required to hard boot my machine. I'm > hung just trying to access the static welcome page of any app, > although I do know that init() of the webapp I'm working on is being > called. > > Eric > > > On Fri, 5 Nov 2004 15:43:28 -0800, Eric Wulff > <[EMAIL PROTECTED]> wrote: > > Linux FC2 > > TC 5.0.28 > > > > I'm not storing a db object within a session although I am storing > > objs within the session(of course - session.setAttribute). > However, I > > have references to them from the controller so that shouldn't be the > > problem... eh? > > > > An interesting thing, I sometimes have to reboot my > machine, not just > > restart TC. Although other apps run fine, I have to reboot > my machine > > in order to get TC up again. > > > > I optimized my db connection, I did have it in servlet init(). > > Although I knew I had to do this and I'm much better off > for it, and I > > appreciate you're noting it, but this didn't eliminate the crashing > > problem. > > > > I also am now taking advantage of a connection pool. > However, as you > > figured, that does not solve the crash problem. > > > > Finally, I removed the > element from > > myapp web.xml to test if this is the initiator of the problem. Let > > you know what I find. Still, even if this is what initiates the > > sequence leading to a crash, it shouldn't so something need be > > fixed/optimized. Any other ideas? > > > > Eric > > > > > > > > > > On Fri, 5 Nov 2004 13:03:27 -, Steve Kirk > > <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > > > > > -Original Message- > > > > From: Eric Wulff [mailto:[EMAIL PROTECTED] > > > > Sent: Friday 05 November 2004 07:01 > > > > To: Tomcat Users List > > > > Subject: session-timeout means tomcat restart > > > > > > > > > > > > Hi, I'm experiencing 2 interesting problems that may be > related to my > > > > session timeout. > > > > > > > > 1. It seems that when my session times out I need to > restart tomcat, > > > > often just the application via reload in the manager, > in order to gain > > > > access to my db again. Could this be because I've been > accessing the > > > > db via jdbc hard coded in the servlet? Might using a datasource > > > > connection pool take care of this? > > > > > > I would say that rather than the problem being JDBC > hardcoded in the > > > servlet, the problem is more likely to be _how_ that code > is written. > > > > > > if it really is the session timeout that is causing this, > it sounds to me > > > like you are storing the database objects within a > session object (which > > > seems a bit unusual). or at least the last reference to > them is stored > > > there, so that when the session is destroyed, the > database connection is > > > lost. it might be better to store the objects in local > variables within > > > doPost if
Re: session-timeout means tomcat restart
Well, this is amazingly frustrating. My TC 5.0.28 running on Linux FC2 is completely crashing about every half hr when I have a webapp open and don't interact with it. I no longer have a time-out element in my web.xml so that doesn't seem to matter. TC shutdown and restart does not work. Instead, I'm required to hard boot my machine. I'm hung just trying to access the static welcome page of any app, although I do know that init() of the webapp I'm working on is being called. Eric On Fri, 5 Nov 2004 15:43:28 -0800, Eric Wulff <[EMAIL PROTECTED]> wrote: > Linux FC2 > TC 5.0.28 > > I'm not storing a db object within a session although I am storing > objs within the session(of course - session.setAttribute). However, I > have references to them from the controller so that shouldn't be the > problem... eh? > > An interesting thing, I sometimes have to reboot my machine, not just > restart TC. Although other apps run fine, I have to reboot my machine > in order to get TC up again. > > I optimized my db connection, I did have it in servlet init(). > Although I knew I had to do this and I'm much better off for it, and I > appreciate you're noting it, but this didn't eliminate the crashing > problem. > > I also am now taking advantage of a connection pool. However, as you > figured, that does not solve the crash problem. > > Finally, I removed the element from > myapp web.xml to test if this is the initiator of the problem. Let > you know what I find. Still, even if this is what initiates the > sequence leading to a crash, it shouldn't so something need be > fixed/optimized. Any other ideas? > > Eric > > > > > On Fri, 5 Nov 2004 13:03:27 -, Steve Kirk > <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > -Original Message- > > > From: Eric Wulff [mailto:[EMAIL PROTECTED] > > > Sent: Friday 05 November 2004 07:01 > > > To: Tomcat Users List > > > Subject: session-timeout means tomcat restart > > > > > > > > > Hi, I'm experiencing 2 interesting problems that may be related to my > > > session timeout. > > > > > > 1. It seems that when my session times out I need to restart tomcat, > > > often just the application via reload in the manager, in order to gain > > > access to my db again. Could this be because I've been accessing the > > > db via jdbc hard coded in the servlet? Might using a datasource > > > connection pool take care of this? > > > > I would say that rather than the problem being JDBC hardcoded in the > > servlet, the problem is more likely to be _how_ that code is written. > > > > if it really is the session timeout that is causing this, it sounds to me > > like you are storing the database objects within a session object (which > > seems a bit unusual). or at least the last reference to them is stored > > there, so that when the session is destroyed, the database connection is > > lost. it might be better to store the objects in local variables within > > doPost if your servlet is simple, or if it's more complex, then perhaps > > better places to put them would be the servlet context, or a field of the > > servlet class/instance. it all depends on your particular situation. > > whichever you choose though, you must make sure that connections are closed > > (or returned to the pool) when you have finished with them. this generally > > involves careful use of try/catch/finally. > > > > if restarting the webapp fixes the problem, it could be that your database > > objects are initialised in the servlet init() method, which is then called > > again when the webapp restarts. but if this were the case then I'm not sure > > how session timeout could cause the problem that you describe. > > > > datasource connection pooling is not necessarily the answer. you can still > > use up all your database resources and/or leave them hanging whether you > > pool them or not! > > > > > 2. Often tomcat hangs without responding at all, to static or dynamic > > > requests, after it's been left for an hr or more with no interaction. > > > Might this be related to the memory leaks I hear about? > > > > you don't say which platform/ versions you are using so memory leaks are > > hard to comment on. IMHO the issues above are more likely to be the problem > > so check those first before suspecting an error in TC :) > > > > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: session-timeout means tomcat restart
Linux FC2 TC 5.0.28 I'm not storing a db object within a session although I am storing objs within the session(of course - session.setAttribute). However, I have references to them from the controller so that shouldn't be the problem... eh? An interesting thing, I sometimes have to reboot my machine, not just restart TC. Although other apps run fine, I have to reboot my machine in order to get TC up again. I optimized my db connection, I did have it in servlet init(). Although I knew I had to do this and I'm much better off for it, and I appreciate you're noting it, but this didn't eliminate the crashing problem. I also am now taking advantage of a connection pool. However, as you figured, that does not solve the crash problem. Finally, I removed the element from myapp web.xml to test if this is the initiator of the problem. Let you know what I find. Still, even if this is what initiates the sequence leading to a crash, it shouldn't so something need be fixed/optimized. Any other ideas? Eric On Fri, 5 Nov 2004 13:03:27 -, Steve Kirk <[EMAIL PROTECTED]> wrote: > > > > > > -Original Message- > > From: Eric Wulff [mailto:[EMAIL PROTECTED] > > Sent: Friday 05 November 2004 07:01 > > To: Tomcat Users List > > Subject: session-timeout means tomcat restart > > > > > > Hi, I'm experiencing 2 interesting problems that may be related to my > > session timeout. > > > > 1. It seems that when my session times out I need to restart tomcat, > > often just the application via reload in the manager, in order to gain > > access to my db again. Could this be because I've been accessing the > > db via jdbc hard coded in the servlet? Might using a datasource > > connection pool take care of this? > > I would say that rather than the problem being JDBC hardcoded in the > servlet, the problem is more likely to be _how_ that code is written. > > if it really is the session timeout that is causing this, it sounds to me > like you are storing the database objects within a session object (which > seems a bit unusual). or at least the last reference to them is stored > there, so that when the session is destroyed, the database connection is > lost. it might be better to store the objects in local variables within > doPost if your servlet is simple, or if it's more complex, then perhaps > better places to put them would be the servlet context, or a field of the > servlet class/instance. it all depends on your particular situation. > whichever you choose though, you must make sure that connections are closed > (or returned to the pool) when you have finished with them. this generally > involves careful use of try/catch/finally. > > if restarting the webapp fixes the problem, it could be that your database > objects are initialised in the servlet init() method, which is then called > again when the webapp restarts. but if this were the case then I'm not sure > how session timeout could cause the problem that you describe. > > datasource connection pooling is not necessarily the answer. you can still > use up all your database resources and/or leave them hanging whether you > pool them or not! > > > 2. Often tomcat hangs without responding at all, to static or dynamic > > requests, after it's been left for an hr or more with no interaction. > > Might this be related to the memory leaks I hear about? > > you don't say which platform/ versions you are using so memory leaks are > hard to comment on. IMHO the issues above are more likely to be the problem > so check those first before suspecting an error in TC :) > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: session-timeout means tomcat restart
> -Original Message- > From: Eric Wulff [mailto:[EMAIL PROTECTED] > Sent: Friday 05 November 2004 07:01 > To: Tomcat Users List > Subject: session-timeout means tomcat restart > > > Hi, I'm experiencing 2 interesting problems that may be related to my > session timeout. > > 1. It seems that when my session times out I need to restart tomcat, > often just the application via reload in the manager, in order to gain > access to my db again. Could this be because I've been accessing the > db via jdbc hard coded in the servlet? Might using a datasource > connection pool take care of this? I would say that rather than the problem being JDBC hardcoded in the servlet, the problem is more likely to be _how_ that code is written. if it really is the session timeout that is causing this, it sounds to me like you are storing the database objects within a session object (which seems a bit unusual). or at least the last reference to them is stored there, so that when the session is destroyed, the database connection is lost. it might be better to store the objects in local variables within doPost if your servlet is simple, or if it's more complex, then perhaps better places to put them would be the servlet context, or a field of the servlet class/instance. it all depends on your particular situation. whichever you choose though, you must make sure that connections are closed (or returned to the pool) when you have finished with them. this generally involves careful use of try/catch/finally. if restarting the webapp fixes the problem, it could be that your database objects are initialised in the servlet init() method, which is then called again when the webapp restarts. but if this were the case then I'm not sure how session timeout could cause the problem that you describe. datasource connection pooling is not necessarily the answer. you can still use up all your database resources and/or leave them hanging whether you pool them or not! > 2. Often tomcat hangs without responding at all, to static or dynamic > requests, after it's been left for an hr or more with no interaction. > Might this be related to the memory leaks I hear about? you don't say which platform/ versions you are using so memory leaks are hard to comment on. IMHO the issues above are more likely to be the problem so check those first before suspecting an error in TC :) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
session-timeout means tomcat restart
Hi, I'm experiencing 2 interesting problems that may be related to my session timeout. 1. It seems that when my session times out I need to restart tomcat, often just the application via reload in the manager, in order to gain access to my db again. Could this be because I've been accessing the db via jdbc hard coded in the servlet? Might using a datasource connection pool take care of this? 2. Often tomcat hangs without responding at all, to static or dynamic requests, after it's been left for an hr or more with no interaction. Might this be related to the memory leaks I hear about? thx Eric - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: session timeout: web.xml and setMaxInactiveInterval(int)
Your assumption is incorrect. When the session is created it will follow the value set in your web.xml but in this case, after session creation you modify its timeout attribute to be higher. This will only apply to sessions that go through this servlet, obviously. Ta Matt -Original Message- From: Stephen Charles Huey [mailto:[EMAIL PROTECTED] Sent: 15 July 2004 22:44 To: Tomcat User Subject: session timeout: web.xml and setMaxInactiveInterval(int) My web.xml has the following: 30 However, when a user logs in, the following code in our app gets executed: HttpSession session = request.getSession(false); session.setMaxInactiveInterval(7200); I've been fiddling with the web.xml and didn't realize that other code was in there, and I'm wondering who trumps who. I would assume that the web.xml's global setting would have priority over any individual setting, but it could easily be the other way around! Thanks, Stephen - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Any opinions expressed in this E-mail may be those of the individual and not necessarily the company. This E-mail and any files transmitted with it are confidential and solely for the use of the intended recipient. If you are not the intended recipient or the person responsible for delivering to the intended recipient, be advised that you have received this E-mail in error and that any use or copying is strictly prohibited. If you have received this E-mail in error please notify the beCogent postmaster at [EMAIL PROTECTED] Unless expressly stated, opinions in this email are those of the individual sender and not beCogent Ltd. You must take full responsibility for virus checking this email and any attachments. Please note that the content of this email or any of its attachments may contain data that falls within the scope of the Data Protection Acts and that you must ensure that any handling or processing of such data by you is fully compliant with the terms and provisions of the Data Protection Act 1984 and 1998. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
session timeout: web.xml and setMaxInactiveInterval(int)
My web.xml has the following: 30 However, when a user logs in, the following code in our app gets executed: HttpSession session = request.getSession(false); session.setMaxInactiveInterval(7200); I've been fiddling with the web.xml and didn't realize that other code was in there, and I'm wondering who trumps who. I would assume that the web.xml's global setting would have priority over any individual setting, but it could easily be the other way around! Thanks, Stephen - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Session Timeout Error
I do not remember where i can set session time our for a web-app? But i think you must also set keepalive time, if i am not wrong :~)) -Original Message- From: Matt Krone [mailto:[EMAIL PROTECTED] Sent: Friday, June 18, 2004 5:49 PM To: [EMAIL PROTECTED] Subject: Session Timeout Error The web application I developed has a session-timeout setting of 10 minutes. When I authenticate with the application using the web browser Mozila 1.6 the session times out in 10 minutes. However, when I use the web browser IE 6.0 the session does not time out in 10 minutes. Any thoughts would be helpful? -Matt = /* Matt */ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ For information about the Standard Bank group visit our web site __ Disclaimer and confidentiality note Everything in this e-mail and any attachments relating to the official business of Standard Bank Group Limited is proprietary to the group. It is confidential, legally privileged and protected by law. Standard Bank does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of the group. The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read, disclose or use the content in any way. Standard Bank can not assure that the integrity of this communication has been maintained nor that it is free of errors, virus, interception or interference. ___
Session Timeout Error
The web application I developed has a session-timeout setting of 10 minutes. When I authenticate with the application using the web browser Mozila 1.6 the session times out in 10 minutes. However, when I use the web browser IE 6.0 the session does not time out in 10 minutes. Any thoughts would be helpful? -Matt = /* Matt */ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Session Timeout and "Direct Reference to login page"
Jonathan Eric Miller wrote: The strange thing is that this page seems to only intermittently be displayed. i.e. it is catching the case where the session expires, but, in some cases since I'm using container based security, it is going back to the login page. Sometimes it goes to this page first, and then brings up the login page. Other times, it just goes straight to the login page. I need to look into it further. I have SingleSignOn enabled, so, I'm not sure if that May be it's working so fast you sometimes don't notice this redirection, and sometimes do? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Session Timeout and "Direct Reference to login page"
I found out about a few other functions that make it bit easier. I think I
have it working using the following,
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
if(((HttpServletRequest)request).getRequestedSessionId() != null &&
((HttpServletRequest)request).isRequestedSessionIdValid() == false) {
RequestDispatcher rd =
request.getRequestDispatcher("/WEB-INF/sessionexpired.jsp");
rd.forward(request, response);
}
else {
chain.doFilter(request, response);
}
}
The strange thing is that this page seems to only intermittently be
displayed. i.e. it is catching the case where the session expires, but, in
some cases since I'm using container based security, it is going back to the
login page. Sometimes it goes to this page first, and then brings up the
login page. Other times, it just goes straight to the login page. I need to
look into it further. I have SingleSignOn enabled, so, I'm not sure if that
might have something to do with it. I need to do more testing. In theory, I
think it should go to the login page each time. So, I'm thinking of putting
a check in my login page similar to the above that just shows optional text
stating that the session has expired.
Another thing that I'm wondering is if it is possible to use a servlet as
the login page for Tomcat rather than a .jsp file.
Jon
- Original Message -
From: "Veniamin Fichin" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <[EMAIL PROTECTED]>
Sent: Friday, May 21, 2004 7:15 AM
Subject: Re: Session Timeout and "Direct Reference to login page"
> Jonathan Eric Miller wrote:
>
> > Yeah, that seems like it would work. I'm wondering if I could maybe use
a
> > filter by itself though and not use the listener and do something like
the
> > following.
> >
> > 1. Intercept all requests with a filter.
> > 2. Get the HttpSession out of the request. Get the session ID by calling
> > HttpSession.getId();
> > 3. Get the cookie array and see if there is a cookie named "jsessionid."
If
> > there is, compare the two session IDs. If they are different forward to
> > sessionexpired.jsp to display error page. Otherwise, continue as normal.
>
> I've just tried this way, it works. Look at example .java file in
> attach for example, it's Filter implementation. Thanks for the
> suggestion, it's very useful.
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Session Timeout and "Direct Reference to login page"
Jonathan Eric Miller wrote:
Yeah, that seems like it would work. I'm wondering if I could maybe use a
filter by itself though and not use the listener and do something like the
following.
1. Intercept all requests with a filter.
2. Get the HttpSession out of the request. Get the session ID by calling
HttpSession.getId();
3. Get the cookie array and see if there is a cookie named "jsessionid." If
there is, compare the two session IDs. If they are different forward to
sessionexpired.jsp to display error page. Otherwise, continue as normal.
I've just tried this way, it works. Look at example .java file in
attach for example, it's Filter implementation. Thanks for the
suggestion, it's very useful.
package org.unchqua.test.servlet;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletOutputStream;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.Cookie;
public class NewSessionFilter implements Filter {
private FilterConfig fconf;
public void init(FilterConfig arg0) throws ServletException {
fconf=arg0;
}
public void doFilter(ServletRequest req, ServletResponse resp,
FilterChain fchain) throws IOException, ServletException {
boolean newManualSession=false;
String fromSession=null;
if (((HttpServletRequest)req).getSession(false)!=null) {
fromSession=((HttpServletRequest)req).getSession(false).getId();
}
if (fromSession==null) {
fromSession=((HttpServletRequest)req).getSession().getId();
newManualSession=true;
}
String fromCookie=null;
Cookie[] cooks=((HttpServletRequest)req).getCookies();
if (cooks!=null) {
for (int i=0; i-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
SingleSignOn session timeout question
I'm using "org.apache.catalina.authenticator.SingleSignOn" for single sign on with container-based security. I have a question about session time outs. When the session for a given application times out, if a user attempts to access the application after the session has timed out, the user should have to login again, correct? According to the documentation, this is the case. However, I'm finding that it intermittently lets you continue before going to the login page. i.e. the user can still access the pages, but, the session is cleared. Has anyone else notices this? I'm wondering if this is a bug. Jon - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Session Timeout and "Direct Reference to login page"
Thanks for the suggestion. The reason that I can't do it that way (as far as I know) is because I'm using container-based security. I'm not handling the submission of the login form directly. Before I switched to using container-based security, I was doing it exactly as you described. Jon - Original Message - From: "Ben Souther" <[EMAIL PROTECTED]> To: "Tomcat Users List" <[EMAIL PROTECTED]> Sent: Thursday, May 20, 2004 12:26 PM Subject: Re: Session Timeout and "Direct Reference to login page" > What was wrong with the first suggestion? > > 1.) When your user logs in, throw an object in their session. > 2.) In each servlet/jsp (or, better, in a filter), test for the existence of > that object and forward back to the login if it is null. > > Seems pretty straight forward to me. > > > > > > On Thursday 20 May 2004 12:51 pm, Jonathan Eric Miller wrote: > > Yeah, that seems like it would work. I'm wondering if I could maybe use a > > filter by itself though and not use the listener and do something like the > > following. > > > > 1. Intercept all requests with a filter. > > 2. Get the HttpSession out of the request. Get the session ID by calling > > HttpSession.getId(); > > 3. Get the cookie array and see if there is a cookie named "jsessionid." If > > there is, compare the two session IDs. If they are different forward to > > sessionexpired.jsp to display error page. Otherwise, continue as normal. > > > > This assumes that the session ID changes everytime it expires. As far as I > > know, that is the case. > > > > I would also have to figure out how to get the jsessionid if it is in the > > URL rather than in a cookie. > > > > I would prefer to do it that way if I can for the sake of simplicity. I > > want to avoid having a Hashtable that grows indefinitely if possible. > > > > Does it seem like this work, or, am I missing something? > > > > I'm wondering if this wouldn't work if I didn't have single sign-on > > enabled. i.e. the login page would get displayed at session expiration. I'm > > not sure if the login page does only forwards, or if it does a redirect. > > I'm thinking the redirect might make the above logic not work since the > > session ID in the cookie would get updated first by the login page. Note, > > the filter runs after the login page. > > > > It seems like there should be a generic way to handle this kind of thing > > that is well understood and known to work. > > > > Jon > > > > - Original Message - > > From: "Veniamin Fichin" <[EMAIL PROTECTED]> > > To: "Tomcat Users List" <[EMAIL PROTECTED]> > > Sent: Thursday, May 20, 2004 2:59 AM > > Subject: Re: Session Timeout and "Direct Reference to login page" > > > > > Jonathan Eric Miller wrote: > > > > Thanks. I think option #1 is what I'm looking for. What I don't > > > > understand > > > > > > is what I need to do with the session listener though? > > > > > > > > I don't understand how to determine whether the new session is truly > > > > new, or > > > > > > if it's a new session because a previous session timed out. Could I use > > > > a > > > > > > filter and check the incoming session ID and if the session ID isn't in > > > > the > > > > > > list of session IDs that the server knows about, assume that it's an > > > > expired > > > > > > session? > > > > > > Yes, this may be the right solution. Store a hash in a singleton > > > class and fill it with session ids that has expired (add a new hash pair > > > in every invocation of sessionDestroyed()). And at every request check > > > > that: > > > 0) HttpSession.isNew()==true . > > > 1) HttpServletRequest.getCookies() array contains an entry that matches > > > one of your hash pairs. > > > That way you may determine if that session is truly new or an > > > expired one. It's just a guess. > > > > > > > > > - > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > -- > Ben Souther > F.W. Davison & Company, Inc. > > > This e-mail message, and any accompanying documents, is for the sole use of > the intended recipient(s) and may contain confidential and privileged > information. Any unauthorized review, use, disclosure, distribution or > copying is prohibited. If you are not the intended recipient, please > contact our office by email or by telephone at (508) 747-7261 and > immediately destroy all copies of the original message. > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Session Timeout and "Direct Reference to login page"
What was wrong with the first suggestion? 1.) When your user logs in, throw an object in their session. 2.) In each servlet/jsp (or, better, in a filter), test for the existence of that object and forward back to the login if it is null. Seems pretty straight forward to me. On Thursday 20 May 2004 12:51 pm, Jonathan Eric Miller wrote: > Yeah, that seems like it would work. I'm wondering if I could maybe use a > filter by itself though and not use the listener and do something like the > following. > > 1. Intercept all requests with a filter. > 2. Get the HttpSession out of the request. Get the session ID by calling > HttpSession.getId(); > 3. Get the cookie array and see if there is a cookie named "jsessionid." If > there is, compare the two session IDs. If they are different forward to > sessionexpired.jsp to display error page. Otherwise, continue as normal. > > This assumes that the session ID changes everytime it expires. As far as I > know, that is the case. > > I would also have to figure out how to get the jsessionid if it is in the > URL rather than in a cookie. > > I would prefer to do it that way if I can for the sake of simplicity. I > want to avoid having a Hashtable that grows indefinitely if possible. > > Does it seem like this work, or, am I missing something? > > I'm wondering if this wouldn't work if I didn't have single sign-on > enabled. i.e. the login page would get displayed at session expiration. I'm > not sure if the login page does only forwards, or if it does a redirect. > I'm thinking the redirect might make the above logic not work since the > session ID in the cookie would get updated first by the login page. Note, > the filter runs after the login page. > > It seems like there should be a generic way to handle this kind of thing > that is well understood and known to work. > > Jon > > - Original Message - > From: "Veniamin Fichin" <[EMAIL PROTECTED]> > To: "Tomcat Users List" <[EMAIL PROTECTED]> > Sent: Thursday, May 20, 2004 2:59 AM > Subject: Re: Session Timeout and "Direct Reference to login page" > > > Jonathan Eric Miller wrote: > > > Thanks. I think option #1 is what I'm looking for. What I don't > > understand > > > > is what I need to do with the session listener though? > > > > > > I don't understand how to determine whether the new session is truly > > new, or > > > > if it's a new session because a previous session timed out. Could I use > > a > > > > filter and check the incoming session ID and if the session ID isn't in > > the > > > > list of session IDs that the server knows about, assume that it's an > > expired > > > > session? > > > > Yes, this may be the right solution. Store a hash in a singleton > > class and fill it with session ids that has expired (add a new hash pair > > in every invocation of sessionDestroyed()). And at every request check > > that: > > 0) HttpSession.isNew()==true . > > 1) HttpServletRequest.getCookies() array contains an entry that matches > > one of your hash pairs. > > That way you may determine if that session is truly new or an > > expired one. It's just a guess. > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] -- Ben Souther F.W. Davison & Company, Inc. This e-mail message, and any accompanying documents, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, distribution or copying is prohibited. If you are not the intended recipient, please contact our office by email or by telephone at (508) 747-7261 and immediately destroy all copies of the original message. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Session Timeout and "Direct Reference to login page"
Yeah, that seems like it would work. I'm wondering if I could maybe use a filter by itself though and not use the listener and do something like the following. 1. Intercept all requests with a filter. 2. Get the HttpSession out of the request. Get the session ID by calling HttpSession.getId(); 3. Get the cookie array and see if there is a cookie named "jsessionid." If there is, compare the two session IDs. If they are different forward to sessionexpired.jsp to display error page. Otherwise, continue as normal. This assumes that the session ID changes everytime it expires. As far as I know, that is the case. I would also have to figure out how to get the jsessionid if it is in the URL rather than in a cookie. I would prefer to do it that way if I can for the sake of simplicity. I want to avoid having a Hashtable that grows indefinitely if possible. Does it seem like this work, or, am I missing something? I'm wondering if this wouldn't work if I didn't have single sign-on enabled. i.e. the login page would get displayed at session expiration. I'm not sure if the login page does only forwards, or if it does a redirect. I'm thinking the redirect might make the above logic not work since the session ID in the cookie would get updated first by the login page. Note, the filter runs after the login page. It seems like there should be a generic way to handle this kind of thing that is well understood and known to work. Jon - Original Message - From: "Veniamin Fichin" <[EMAIL PROTECTED]> To: "Tomcat Users List" <[EMAIL PROTECTED]> Sent: Thursday, May 20, 2004 2:59 AM Subject: Re: Session Timeout and "Direct Reference to login page" > Jonathan Eric Miller wrote: > > > Thanks. I think option #1 is what I'm looking for. What I don't understand > > is what I need to do with the session listener though? > > > > I don't understand how to determine whether the new session is truly new, or > > if it's a new session because a previous session timed out. Could I use a > > filter and check the incoming session ID and if the session ID isn't in the > > list of session IDs that the server knows about, assume that it's an expired > > session? > > Yes, this may be the right solution. Store a hash in a singleton > class and fill it with session ids that has expired (add a new hash pair > in every invocation of sessionDestroyed()). And at every request check that: > 0) HttpSession.isNew()==true . > 1) HttpServletRequest.getCookies() array contains an entry that matches > one of your hash pairs. > That way you may determine if that session is truly new or an > expired one. It's just a guess. > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Session Timeout and "Direct Reference to login page"
In my case, I don't just want to test for a timed out session. I want to see
if the session has timed out since the user has logged in.
So, when the user logs in, I add an object to the session (any object will
do). Then at the top of every servlet I test for the existence of that
object 'if(session.getAttribute("myObject") == null)'. If the object is null
then I know that the session has timed out since the user last logged in.
At that point, I forward to the session expired page which informs the user
that he/she must log back in.
It sounds like you're looking for something similar.
On Wednesday 19 May 2004 04:56 pm, Jonathan Eric Miller wrote:
> Thanks. I think option #1 is what I'm looking for. What I don't understand
> is what I need to do with the session listener though?
>
> I don't understand how to determine whether the new session is truly new,
> or if it's a new session because a previous session timed out. Could I use
> a filter and check the incoming session ID and if the session ID isn't in
> the list of session IDs that the server knows about, assume that it's an
> expired session?
>
> Does anyone have example source code on how to do this?
>
> Jon
>
> - Original Message -
> From: "QM" <[EMAIL PROTECTED]>
> To: "Tomcat Users List" <[EMAIL PROTECTED]>
> Sent: Wednesday, May 19, 2004 3:16 PM
> Subject: Re: Session Timeout and "Direct Reference to login page"
>
> > On Wed, May 19, 2004 at 02:58:05PM -0500, Jonathan Eric Miller wrote:
> > : All I want to do is detect when a session has timed out for a user and
> > : display a page stating such when the user makes a request after the
>
> session
>
> > : has timed out. It seems like this should be a straight forward thing to
>
> do.
>
> > : Am I missing something?
> >
> > You could use a session listener and check its existence with a
> > filter... In other words:
> >
> > // filter pseudocode
> > if( null != session.getAttribute( "UserMarker" ) ){
> > // pass the req and resp down the filter chain
> > }else{
> > // forward() to a "your session timed out" page
> > }
> >
> > Is this what you're after?
> >
> > Option #2: have each page meta-refresh to the "your session timed out"
> > page (set the refresh value 1 or 2 seconds beyond the session timeout).
> > This is more intrusive, though: people don't typically like it when
> > their browser starts moving around when they didn't explicitly ask.
> >
> > -QM
> >
> > --
> >
> > software -- http://www.brandxdev.net
> > tech news -- http://www.RoarNetworX.com
> >
> >
> > -
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
--
Ben Souther
F.W. Davison & Company, Inc.
This e-mail message, and any accompanying documents, is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. Any unauthorized review, use, disclosure, distribution or
copying is prohibited. If you are not the intended recipient, please
contact our office by email or by telephone at (508) 747-7261 and
immediately destroy all copies of the original message.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Session Timeout and "Direct Reference to login page"
Jonathan Eric Miller wrote: Thanks. I think option #1 is what I'm looking for. What I don't understand is what I need to do with the session listener though? I don't understand how to determine whether the new session is truly new, or if it's a new session because a previous session timed out. Could I use a filter and check the incoming session ID and if the session ID isn't in the list of session IDs that the server knows about, assume that it's an expired session? Yes, this may be the right solution. Store a hash in a singleton class and fill it with session ids that has expired (add a new hash pair in every invocation of sessionDestroyed()). And at every request check that: 0) HttpSession.isNew()==true . 1) HttpServletRequest.getCookies() array contains an entry that matches one of your hash pairs. That way you may determine if that session is truly new or an expired one. It's just a guess. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Session Timeout and "Direct Reference to login page"
Renato, Did you ever receive a response to this? I'm having the same problem. My current problem is slightly more complicated though. I have my application protected using container based security, but, I also have single-sign on enabled. So, the user doesn't get redirected back to the login page when the session times out. Previously, I used to make it so that if the session had expired (detected by my main JavaBean not being present (I was never able to figure out how to determine whether it was a new session or one that had expired and hence couldn't display an error message in the later case)), I'd just redirect the user back to the first page of my application. However, now, I'm using JavaServer Faces. As a result, I'm not the one implementing the controller part of my application, JSF is. Someone mentioned something about using HttpSessionListener. I don't see how that can work because you don't have a handle to the request and response. Is there a standard way of handling session timeouts? All I want to do is detect when a session has timed out for a user and display a page stating such when the user makes a request after the session has timed out. It seems like this should be a straight forward thing to do. Am I missing something? Jon - Original Message - From: "Renato Romano" <[EMAIL PROTECTED]> To: "'Tomcat Users List'" <[EMAIL PROTECTED]> Sent: Tuesday, March 02, 2004 3:31 AM Subject: Session Timeout and "Direct Reference to login page" > I have two problems i'm facing with every web application using > declarative security model, that is: > > 1) Detect that the user session has expired, and forward him to an > appropriate login page; Usually we build webapp in which the home page > shows a login form; to handle this, I use to make a "index.jsp" page > which redirects the user to a protected page; this is handled by the > container which then shows my login page (as specified in web.xml) that > is my HOME page. With this approach however, I can't detect session > expirying, so if the session times out, the user is presented with the > HOME page (the login > page) without further notice or advice!! I tried to solve this with a > filter, but it seems the container (Tomcat 4.1.127 inside Jboss) > forwards to the login page without calling the filter. > > 2) If the user waits too long reading the home/login page, the sessions > times out, Tomcat looses the reference to the previously requested > protected page, and on login shows an "Invalid Direct refernce to form > login page" error. Again a filter seem not to be useful in this case, > since Tomcat commits the error without calling the filter!! > > Any help or hint on this topic is very, very appreciated > > Renato > > > > Renato Romano > Sistemi e Telematica S.p.A. > Calata Grazie - Vial Al Molo Giano > 16127 - GENOVA > > e-mail: [EMAIL PROTECTED] > Tel.: 010 2712603 > _ > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Session Timeout and "Direct Reference to login page"
On Wed, May 19, 2004 at 02:58:05PM -0500, Jonathan Eric Miller wrote:
: All I want to do is detect when a session has timed out for a user and
: display a page stating such when the user makes a request after the session
: has timed out. It seems like this should be a straight forward thing to do.
: Am I missing something?
You could use a session listener and check its existence with a
filter... In other words:
// filter pseudocode
if( null != session.getAttribute( "UserMarker" ) ){
// pass the req and resp down the filter chain
}else{
// forward() to a "your session timed out" page
}
Is this what you're after?
Option #2: have each page meta-refresh to the "your session timed out"
page (set the refresh value 1 or 2 seconds beyond the session timeout).
This is more intrusive, though: people don't typically like it when
their browser starts moving around when they didn't explicitly ask.
-QM
--
software -- http://www.brandxdev.net
tech news -- http://www.RoarNetworX.com
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Session Timeout and "Direct Reference to login page"
It's too bad there isn't a element that you can put in web.xml kind of like the element... Jon - Original Message - From: "Jonathan Eric Miller" <[EMAIL PROTECTED]> To: "Tomcat Users List" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Wednesday, May 19, 2004 2:58 PM Subject: Re: Session Timeout and "Direct Reference to login page" > Renato, > > Did you ever receive a response to this? I'm having the same problem. > > My current problem is slightly more complicated though. I have my > application protected using container based security, but, I also have > single-sign on enabled. So, the user doesn't get redirected back to the > login page when the session times out. > > Previously, I used to make it so that if the session had expired (detected > by my main JavaBean not being present (I was never able to figure out how to > determine whether it was a new session or one that had expired and hence > couldn't display an error message in the later case)), I'd just redirect the > user back to the first page of my application. However, now, I'm using > JavaServer Faces. As a result, I'm not the one implementing the controller > part of my application, JSF is. > > Someone mentioned something about using HttpSessionListener. I don't see how > that can work because you don't have a handle to the request and response. > > Is there a standard way of handling session timeouts? > > All I want to do is detect when a session has timed out for a user and > display a page stating such when the user makes a request after the session > has timed out. It seems like this should be a straight forward thing to do. > Am I missing something? > > Jon > > - Original Message - > From: "Renato Romano" <[EMAIL PROTECTED]> > To: "'Tomcat Users List'" <[EMAIL PROTECTED]> > Sent: Tuesday, March 02, 2004 3:31 AM > Subject: Session Timeout and "Direct Reference to login page" > > > > I have two problems i'm facing with every web application using > > declarative security model, that is: > > > > 1) Detect that the user session has expired, and forward him to an > > appropriate login page; Usually we build webapp in which the home page > > shows a login form; to handle this, I use to make a "index.jsp" page > > which redirects the user to a protected page; this is handled by the > > container which then shows my login page (as specified in web.xml) that > > is my HOME page. With this approach however, I can't detect session > > expirying, so if the session times out, the user is presented with the > > HOME page (the login > > page) without further notice or advice!! I tried to solve this with a > > filter, but it seems the container (Tomcat 4.1.127 inside Jboss) > > forwards to the login page without calling the filter. > > > > 2) If the user waits too long reading the home/login page, the sessions > > times out, Tomcat looses the reference to the previously requested > > protected page, and on login shows an "Invalid Direct refernce to form > > login page" error. Again a filter seem not to be useful in this case, > > since Tomcat commits the error without calling the filter!! > > > > Any help or hint on this topic is very, very appreciated > > > > Renato > > > > > > > > Renato Romano > > Sistemi e Telematica S.p.A. > > Calata Grazie - Vial Al Molo Giano > > 16127 - GENOVA > > > > e-mail: [EMAIL PROTECTED] > > Tel.: 010 2712603 > > _ > > > > > > > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Session Timeout and "Direct Reference to login page"
Tomcat behaves according to the Servlet/JSP specs. It creates a new session if a request is made after the previous one expires. It's not too difficult to write your own, I did. -Write a session-timeout.jsp with a link to your login. -Define a context-param in web.xml (session-timeout-page-url) or something like that, which defines the name of your session-timeout.jsp -At the top of every servlet check for the existence of an object that get's put in session during login (an empty string will do). If it's null, forward to the session-timeout.jsp. Of course, you could also just forward straight to the login page and bypass the session-timeout.jsp altogether. If you're doing everything with JSPs, you could just use an include for the code that does the checking so you don't have to put the same code on the top of every JSP. You could also do the same thing from a Filter. On Wednesday 19 May 2004 04:35 pm, Jonathan Eric Miller wrote: > It's too bad there isn't a element that you can put > in web.xml kind of like the element... > > Jon > > - Original Message - > From: "Jonathan Eric Miller" <[EMAIL PROTECTED]> > To: "Tomcat Users List" <[EMAIL PROTECTED]>; > <[EMAIL PROTECTED]> > Sent: Wednesday, May 19, 2004 2:58 PM > Subject: Re: Session Timeout and "Direct Reference to login page" > > > Renato, > > > > Did you ever receive a response to this? I'm having the same problem. > > > > My current problem is slightly more complicated though. I have my > > application protected using container based security, but, I also have > > single-sign on enabled. So, the user doesn't get redirected back to the > > login page when the session times out. > > > > Previously, I used to make it so that if the session had expired > > (detected by my main JavaBean not being present (I was never able to > > figure out how > > to > > > determine whether it was a new session or one that had expired and hence > > couldn't display an error message in the later case)), I'd just redirect > > the > > > user back to the first page of my application. However, now, I'm using > > JavaServer Faces. As a result, I'm not the one implementing the > > controller part of my application, JSF is. > > > > Someone mentioned something about using HttpSessionListener. I don't see > > how > > > that can work because you don't have a handle to the request and > > response. > > > > Is there a standard way of handling session timeouts? > > > > All I want to do is detect when a session has timed out for a user and > > display a page stating such when the user makes a request after the > > session > > > has timed out. It seems like this should be a straight forward thing to > > do. > > > Am I missing something? > > > > Jon > > > > - Original Message - > > From: "Renato Romano" <[EMAIL PROTECTED]> > > To: "'Tomcat Users List'" <[EMAIL PROTECTED]> > > Sent: Tuesday, March 02, 2004 3:31 AM > > Subject: Session Timeout and "Direct Reference to login page" > > > > > I have two problems i'm facing with every web application using > > > declarative security model, that is: > > > > > > 1) Detect that the user session has expired, and forward him to an > > > appropriate login page; Usually we build webapp in which the home page > > > shows a login form; to handle this, I use to make a "index.jsp" page > > > which redirects the user to a protected page; this is handled by the > > > container which then shows my login page (as specified in web.xml) that > > > is my HOME page. With this approach however, I can't detect session > > > expirying, so if the session times out, the user is presented with the > > > HOME page (the login > > > page) without further notice or advice!! I tried to solve this with a > > > filter, but it seems the container (Tomcat 4.1.127 inside Jboss) > > > forwards to the login page without calling the filter. > > > > > > 2) If the user waits too long reading the home/login page, the sessions > > > times out, Tomcat looses the reference to the previously requested > > > protected page, and on login shows an "Invalid Direct refernce to form > > > login page" error. Again a filter seem not to be useful in this case, > > > since Tomcat commits the error without calling the filter!! > > > > > > Any help or hint on this to
Re: Session Timeout and "Direct Reference to login page"
Thanks. I think option #1 is what I'm looking for. What I don't understand
is what I need to do with the session listener though?
I don't understand how to determine whether the new session is truly new, or
if it's a new session because a previous session timed out. Could I use a
filter and check the incoming session ID and if the session ID isn't in the
list of session IDs that the server knows about, assume that it's an expired
session?
Does anyone have example source code on how to do this?
Jon
- Original Message -
From: "QM" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <[EMAIL PROTECTED]>
Sent: Wednesday, May 19, 2004 3:16 PM
Subject: Re: Session Timeout and "Direct Reference to login page"
> On Wed, May 19, 2004 at 02:58:05PM -0500, Jonathan Eric Miller wrote:
> : All I want to do is detect when a session has timed out for a user and
> : display a page stating such when the user makes a request after the
session
> : has timed out. It seems like this should be a straight forward thing to
do.
> : Am I missing something?
>
> You could use a session listener and check its existence with a
> filter... In other words:
>
> // filter pseudocode
> if( null != session.getAttribute( "UserMarker" ) ){
> // pass the req and resp down the filter chain
> }else{
> // forward() to a "your session timed out" page
> }
>
> Is this what you're after?
>
> Option #2: have each page meta-refresh to the "your session timed out"
> page (set the refresh value 1 or 2 seconds beyond the session timeout).
> This is more intrusive, though: people don't typically like it when
> their browser starts moving around when they didn't explicitly ask.
>
> -QM
>
> --
>
> software -- http://www.brandxdev.net
> tech news -- http://www.RoarNetworX.com
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Session Timeout and "Direct Reference to login page"
I have two problems i'm facing with every web application using declarative security model, that is: 1) Detect that the user session has expired, and forward him to an appropriate login page; Usually we build webapp in which the home page shows a login form; to handle this, I use to make a "index.jsp" page which redirects the user to a protected page; this is handled by the container which then shows my login page (as specified in web.xml) that is my HOME page. With this approach however, I can't detect session expirying, so if the session times out, the user is presented with the HOME page (the login page) without further notice or advice!! I tried to solve this with a filter, but it seems the container (Tomcat 4.1.127 inside Jboss) forwards to the login page without calling the filter. 2) If the user waits too long reading the home/login page, the sessions times out, Tomcat looses the reference to the previously requested protected page, and on login shows an "Invalid Direct refernce to form login page" error. Again a filter seem not to be useful in this case, since Tomcat commits the error without calling the filter!! Any help or hint on this topic is very, very appreciated Renato Renato Romano Sistemi e Telematica S.p.A. Calata Grazie - Vial Al Molo Giano 16127 - GENOVA e-mail: [EMAIL PROTECTED] Tel.: 010 2712603 _ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Session Timeout and "Direct Reference to login page"
I have two problems i'm facing with every web application using declarative security model, that is: 1) Detect that the user session has expired, and forward him to an appropriate login page; Usually we build webapp in which the home page shows a login form; to handle this, I use to make a "index.jsp" page which redirects the user to a protected page; this is handled by the container which then shows my login page (as specified in web.xml) that is my HOME page. With this approach however, I can't detect session expirying, so if the session times out, the user is presented with the HOME page (the login page) without further notice or advice!! I tried to solve this with a filter, but it seems the container (Tomcat 4.1.127 inside Jboss) forwards to the login page without calling the filter. 2) If the user waits too long reading the home/login page, the sessions times out, Tomcat looses the reference to the previously requested protected page, and on login shows an "Invalid Direct refernce to form login page" error. Again a filter seem not to be useful in this case, since Tomcat commits the error without calling the filter!! Any help or hint on this topic is very, very appreciated Renato Renato Romano Sistemi e Telematica S.p.A. Calata Grazie - Vial Al Molo Giano 16127 - GENOVA e-mail: [EMAIL PROTECTED] Tel.: 010 2712603 _ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How to set session timeout?
Howdy, You should read the specification for session timeout. You can't set it for less than a minute using web.xml. The default is 30 minutes. Yoav Shapira Millennium ChemInformatics >-Original Message- >From: Mufaddal Khumri [mailto:[EMAIL PROTECTED] >Sent: Tuesday, January 20, 2004 7:52 PM >To: Tomcat Users List >Subject: Re: How to set session timeout? > >Whats the default value set for session timeout?? (tomcat 4.1.29)? > >ie if I do not specify the session-timeout whats the default ? > >Thanks > > >On Jan 20, 2004, at 3:30 PM, Filip Hanik wrote: > >> in web.xml in your web application (WEB-INF/web.xml) >> >> Filip >> - Original Message - >> From: "Mufaddal Khumri" <[EMAIL PROTECTED]> >> To: "Tomcat Users List" <[EMAIL PROTECTED]> >> Sent: Tuesday, January 20, 2004 2:27 PM >> Subject: How to set session timeout? >> >> >>> From where can you set the session timeout ? In other words where in >>> Tomcat can you control the session timeout ? >>> >>> Thanks >>> >>> >>> - >>> To unsubscribe, e-mail: [EMAIL PROTECTED] >>> For additional commands, e-mail: [EMAIL PROTECTED] >> >> - >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] > > >- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to set session timeout?
Whats the default value set for session timeout?? (tomcat 4.1.29)? ie if I do not specify the session-timeout whats the default ? Thanks On Jan 20, 2004, at 3:30 PM, Filip Hanik wrote: in web.xml in your web application (WEB-INF/web.xml) Filip - Original Message - From: "Mufaddal Khumri" <[EMAIL PROTECTED]> To: "Tomcat Users List" <[EMAIL PROTECTED]> Sent: Tuesday, January 20, 2004 2:27 PM Subject: How to set session timeout? From where can you set the session timeout ? In other words where in Tomcat can you control the session timeout ? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to set session timeout?
1 Can we set the session-timeout less than a minute? Thanks On Jan 20, 2004, at 3:30 PM, Filip Hanik wrote: in web.xml in your web application (WEB-INF/web.xml) Filip - Original Message - From: "Mufaddal Khumri" <[EMAIL PROTECTED]> To: "Tomcat Users List" <[EMAIL PROTECTED]> Sent: Tuesday, January 20, 2004 2:27 PM Subject: How to set session timeout? From where can you set the session timeout ? In other words where in Tomcat can you control the session timeout ? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to set session timeout?
in web.xml in your web application (WEB-INF/web.xml) Filip - Original Message - From: "Mufaddal Khumri" <[EMAIL PROTECTED]> To: "Tomcat Users List" <[EMAIL PROTECTED]> Sent: Tuesday, January 20, 2004 2:27 PM Subject: How to set session timeout? > From where can you set the session timeout ? In other words where in > Tomcat can you control the session timeout ? > > Thanks > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
How to set session timeout?
From where can you set the session timeout ? In other words where in Tomcat can you control the session timeout ? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Session timeout
Perhaps because in the web.xml you specify the value in minutes, and in the code the method getMaxInactiveInterval() retrieves the time in seconds?? ;-) Vitor Chris Wahl wrote: >Hi,all > >I am using TC4.0.6, >After I setting session timeout to -1 by adding following in >web.xml: > > >-1 > > >In a servlet of the same web module I get such interesting output: > >hs.getMaxInactiveInterval() = -60 // hs is HttpSession > >My question is, why "-1" is replaced by "-60"? > >Regards >Chris > > > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Session timeout
Hi,all I am using TC4.0.6, After I setting session timeout to -1 by adding following in web.xml: -1 In a servlet of the same web module I get such interesting output: hs.getMaxInactiveInterval() = -60 // hs is HttpSession My question is, why "-1" is replaced by "-60"? Regards Chris
RE: Warning of session timeout.
No sorry, was just an idea :( > -Original Message- > From: Michael Cardon [mailto:[EMAIL PROTECTED] > Sent: 07 Януари 2004 г. 17:51 > To: Tomcat Users List > Subject: RE: Warning of session timeout. > > > Do you know of any Java Applets out there that I could look > at for examples? > > Thanks. > > Michael > > -Original Message- > From: Altankov Peter [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 07, 2004 6:23 AM > To: Tomcat Users List > Subject: RE: Warning of session timeout. > > > And ofcourse, if you don’t like the simple solutions and/or > want to add more complex behaviour, you can always go for a > Java Applet that connects to the server > > -Original Message- > From: Michael Cardon [mailto:[EMAIL PROTECTED] > Sent: 06 Януари 2004 г. 20:04 > To: Tomcat Users List > Subject: Warning of session timeout. > > > Hello, > > When I'm doing online banking over the internet, I get a > popup notice telling me my session is about to expire and > asking me if I want to stay logged in or not. > > How do they do this? I would like to offer the same kind of > message on our web site to our users when the session is > about to expire. Anyone know how this is done? > > Thanks. > > Michael > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Warning of session timeout.
Do you know of any Java Applets out there that I could look at for examples? Thanks. Michael -Original Message- From: Altankov Peter [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 07, 2004 6:23 AM To: Tomcat Users List Subject: RE: Warning of session timeout. And ofcourse, if you don’t like the simple solutions and/or want to add more complex behaviour, you can always go for a Java Applet that connects to the server -Original Message- From: Michael Cardon [mailto:[EMAIL PROTECTED] Sent: 06 Януари 2004 г. 20:04 To: Tomcat Users List Subject: Warning of session timeout. Hello, When I'm doing online banking over the internet, I get a popup notice telling me my session is about to expire and asking me if I want to stay logged in or not. How do they do this? I would like to offer the same kind of message on our web site to our users when the session is about to expire. Anyone know how this is done? Thanks. Michael - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Warning of session timeout.
And ofcourse, if you don’t like the simple solutions and/or want to add more complex behaviour, you can always go for a Java Applet that connects to the server -Original Message- From: Michael Cardon [mailto:[EMAIL PROTECTED] Sent: 06 Януари 2004 г. 20:04 To: Tomcat Users List Subject: Warning of session timeout. Hello, When I'm doing online banking over the internet, I get a popup notice telling me my session is about to expire and asking me if I want to stay logged in or not. How do they do this? I would like to offer the same kind of message on our web site to our users when the session is about to expire. Anyone know how this is done? Thanks. Michael - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Warning of session timeout.
Howdy, Probably a simple javascript function that fires off a popup a few minutes before the configured session timeout. Trivial (and not specific to java) to implement. Yoav Shapira Millennium ChemInformatics >-Original Message- >From: Michael Cardon [mailto:[EMAIL PROTECTED] >Sent: Tuesday, January 06, 2004 1:04 PM >To: Tomcat Users List >Subject: Warning of session timeout. > >Hello, > >When I'm doing online banking over the internet, I get a popup notice >telling me my session is about to expire and asking me if I want to stay >logged in or not. > >How do they do this? I would like to offer the same kind of message on our >web site to our users when the session is about to expire. Anyone know how >this is done? > >Thanks. > >Michael > > >- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Warning of session timeout.
I guess you could get the desired result using JavaScript locally to count down from when the page is last sent. Just a suggestion. Best regards Chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Warning of session timeout.
Hello, When I'm doing online banking over the internet, I get a popup notice telling me my session is about to expire and asking me if I want to stay logged in or not. How do they do this? I would like to offer the same kind of message on our web site to our users when the session is about to expire. Anyone know how this is done? Thanks. Michael - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Setting session timeout when using SingleSignOn
Hi, I can increase the session timeout for a webapp by putting the following in the webapp's web.xml file: 120 I can get SingleSignOn is working so that I can move between webapps without logging in to each. The probelm is that once I turn on SingleSignOn my sessions are timing out in much less than 120 minutes. Is there any way to get both session timeouts and SingleSignOn to work at the same time? Richard - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: definition/usage of session-timeout?
At 07:08 AM 11/25/2003, you wrote: Ben, Thanks for the reply. But I'm still unclear on why setting the timeout won't work for my situation. What is the difference between an effectively idle session timing out, and "cancelling" a request? Of course I agree that fixing the root problem would be preferable, but it's extremely hard to diagnose. Putting in println's everywhere would in my case generate huge log file sizes, and I'll only try that as a last resort. Can anyone suggest a different technique for simulating an "inactive" session, so that I can get to work? If your servlet is hanging, you need to find out what it's hanging on. Get a thread dump from your JVM when your server is hung (or your request is hung) and it should be obvious what is going on (thread dump commands vary by platform -- see your JVM docs). From what I've heard from you so far, this has absolutely nothing to do with session timeouts. justin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: definition/usage of session-timeout?
A session timeout just means that the next time you hit the site with the same
browser, you will be assigned a new JSPSessionID to bind that transaction
with your session object. It would do nothing to stop a request that's hung.
Think of a "request" as one hit to a server and a "session" as several hits
over a given period of time.
What you're looking for is a "script timeout" which, to the best of my
knowlege, doesn't exist in the servlet spec.
On Tuesday 25 November 2003 10:08 am, Ron W. wrote:
> Ben,
>Thanks for the reply. But I'm still unclear on why setting the timeout
> won't work for my situation. What is the difference between an effectively
> idle session timing out, and "cancelling" a request?
>
> Of course I agree that fixing the root problem would be preferable, but
> it's extremely hard to diagnose. Putting in println's everywhere would in
> my case generate huge log file sizes, and I'll only try that as a last
> resort.
>
> Can anyone suggest a different technique for simulating an "inactive"
> session, so that I can get to work?
>
>
> thanks,
>
> -Ron
>
> --
> Ben Souther wrote:
>
> JSP/Servlet technology uses a solution called the HttpSession to overcome
> the limitations of the stateless HTTP protocol.
>
> Tomcat uses cookies to map a particular web user to his/her session object.
> The developer can bind objects to a user's session object and then retrieve
> them on subsequent hits from that user's browser. The session-timeout
> attribute allows you to explicitly set the length of your webapps sessions.
> The default is 30 mins.
>
> You're trying cancel a particular request. I don't think that can be done
> in tomcat (someone will correct me if I'm wrong). Even if it could, it
> would be better to get to the root of the problem and fix that.
>
> Try putting a bunch of System.out.println(" ") statements in your
> code, tail the catalina log, and hit your app to find out which line of
> code is causing it to hang.
>
> The catalina.log file is in TOMCAT_HOME/logs. All standard out and
> standard error messages get routed to there by default.
>
> The Unix tail command with the -f option will allow you to watch the
> logfile as it is being written to, in real time.
>
> -Ben
>
> --------
> Original message:
>
> Hi,
> I'm a relatively new Tomcat user, running 4.0.4 (testing on Windows,
> deploying on Sun UNIX). The UNIX servlet is having rare problems
> "hanging", for which the exact cause is unknown.
>
> I'm trying to see if a session timeout can solve the problem, but have not
> been able to get it to work. Numerous archives talk about this, and it
> seems like I'm doing what everyone suggests, but it's not working.
>
> In my web.xml file, I have the following, as a test of one-minute timeout:
>
>
> 1
>
>
> I have made a call the HttpSession.getMaxInactiveInterval, and it returns
> 60 (seconds, I presume), so I believe the parameter is being applied. I
> have tried 2 different approaches to simulate an "inactive" server:
>
> 1) Manually update a database row (but don't commit) before the servlet
> call, then have the servlet try to update the same row 2) Use
> Thread.sleep(12)
>
> In both cases, the 1 minute timeout doesn't do anything. So what
> constitutes an "inactive" session, for which this parameter was designed?
> If it likely won't solve my problem, does anyone have an idea on how I can
> kill the request after a given amount of time?
>
>
> much thanks,
>
> -Ron
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
--
Ben Souther
F.W. Davison & Company, Inc.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: definition/usage of session-timeout?
Ben,
Thanks for the reply. But I'm still unclear on why setting the timeout won't work
for my situation. What is the difference between an effectively idle session timing
out, and "cancelling" a request?
Of course I agree that fixing the root problem would be preferable, but it's extremely
hard to diagnose. Putting in println's everywhere would in my case generate huge log
file sizes, and I'll only try that as a last resort.
Can anyone suggest a different technique for simulating an "inactive" session, so that
I can get to work?
thanks,
-Ron
--
Ben Souther wrote:
JSP/Servlet technology uses a solution called the HttpSession to overcome the
limitations of the stateless HTTP protocol.
Tomcat uses cookies to map a particular web user to his/her session object.
The developer can bind objects to a user's session object and then retrieve
them on subsequent hits from that user's browser. The session-timeout
attribute allows you to explicitly set the length of your webapps sessions.
The default is 30 mins.
You're trying cancel a particular request. I don't think that can be done in
tomcat (someone will correct me if I'm wrong). Even if it could, it would be
better to get to the root of the problem and fix that.
Try putting a bunch of System.out.println(" ") statements in your code,
tail the catalina log, and hit your app to find out which line of code is
causing it to hang.
The catalina.log file is in TOMCAT_HOME/logs. All standard out and standard
error messages get routed to there by default.
The Unix tail command with the -f option will allow you to watch the logfile
as it is being written to, in real time.
-Ben
Original message:
Hi,
I'm a relatively new Tomcat user, running 4.0.4 (testing on Windows, deploying on
Sun UNIX). The UNIX servlet is having rare problems "hanging", for which the exact
cause is unknown.
I'm trying to see if a session timeout can solve the problem, but have not been able
to get it to work. Numerous archives talk about this, and it seems like I'm doing
what everyone suggests, but it's not working.
In my web.xml file, I have the following, as a test of one-minute timeout:
1
I have made a call the HttpSession.getMaxInactiveInterval, and it returns 60 (seconds,
I presume), so I believe the parameter is being applied. I have tried 2 different
approaches to simulate an "inactive" server:
1) Manually update a database row (but don't commit) before the servlet call, then
have the servlet try to update the same row
2) Use Thread.sleep(12)
In both cases, the 1 minute timeout doesn't do anything. So what constitutes an
"inactive" session, for which this parameter was designed? If it likely won't solve
my problem, does anyone have an idea on how I can kill the request after a given
amount of time?
much thanks,
-Ron
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: definition/usage of session-timeout?
JSP/Servlet technology uses a solution called the HttpSession to overcome the
limitations of the stateless HTTP protocol.
Tomcat uses cookies to map a particular web user to his/her session object.
The developer can bind objects to a user's session object and then retrieve
them on subsequent hits from that user's browser. The session-timeout
attribute allows you to explicitly set the length of your webapps sessions.
The default is 30 mins.
You're trying cancel a particular request. I don't think that can be done in
tomcat (someone will correct me if I'm wrong). Even if it could, it would be
better to get to the root of the problem and fix that.
Try putting a bunch of System.out.println(" ") statements in your code,
tail the catalina log, and hit your app to find out which line of code is
causing it to hang.
The catalina.log file is in TOMCAT_HOME/logs. All standard out and standard
error messages get routed to there by default.
The Unix tail command with the -f option will allow you to watch the logfile
as it is being written to, in real time.
-Ben
On Monday 24 November 2003 07:00 pm, you wrote:
> Hi,
> I'm a relatively new Tomcat user, running 4.0.4 (testing on Windows,
> deploying on Sun UNIX). The UNIX servlet is having rare problems
> "hanging", for which the exact cause is unknown.
>
> I'm trying to see if a session timeout can solve the problem, but have not
> been able to get it to work. Numerous archives talk about this, and it
> seems like I'm doing what everyone suggests, but it's not working.
>
> In my web.xml file, I have the following, as a test of one-minute timeout:
>
>
> 1
>
>
> I have made a call the HttpSession.getMaxInactiveInterval, and it returns
> 60 (seconds, I presume), so I believe the parameter is being applied. I
> have tried 2 different approaches to simulate an "inactive" server:
>
> 1) Manually update a database row (but don't commit) before the servlet
> call, then have the servlet try to update the same row 2) Use
> Thread.sleep(12)
>
> In both cases, the 1 minute timeout doesn't do anything. So what
> constitutes an "inactive" session, for which this parameter was designed?
> If it likely won't solve my problem, does anyone have an idea on how I can
> kill the request after a given amount of time?
>
>
> much thanks,
>
> -Ron
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
definition/usage of session-timeout?
Hi, I'm a relatively new Tomcat user, running 4.0.4 (testing on Windows, deploying on Sun UNIX). The UNIX servlet is having rare problems "hanging", for which the exact cause is unknown. I'm trying to see if a session timeout can solve the problem, but have not been able to get it to work. Numerous archives talk about this, and it seems like I'm doing what everyone suggests, but it's not working. In my web.xml file, I have the following, as a test of one-minute timeout: 1 I have made a call the HttpSession.getMaxInactiveInterval, and it returns 60 (seconds, I presume), so I believe the parameter is being applied. I have tried 2 different approaches to simulate an "inactive" server: 1) Manually update a database row (but don't commit) before the servlet call, then have the servlet try to update the same row 2) Use Thread.sleep(12) In both cases, the 1 minute timeout doesn't do anything. So what constitutes an "inactive" session, for which this parameter was designed? If it likely won't solve my problem, does anyone have an idea on how I can kill the request after a given amount of time? much thanks, -Ron - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How do i handle session-timeout in an acceptable manner?
> -Original Message- > From: Hayo Schmidt [mailto:[EMAIL PROTECTED] > Sent: Wednesday, October 08, 2003 11:07 AM > To: Tomcat Users List > Subject: Re: How do i handle session-timeout in an acceptable manner? > > > Shapira, Yoav schrieb: > > >>>I have implemented this workaround: > >>> > >>> > > > >As for this workaround, why wouldn't it work with future tomcat > >versions? There's nothing tomcat-specific in it, much less tomcat > >4.1.x-specific. > > > >Yoav Shapira > > > > > > > A different servlet engine could use a POST instead of a GET > to continue > processing after form based login. Then my solution would not work. But wasn't that your original problem? If a different servlet engine uses POST, then all is good, your application will not fail, because the container-managed AUTH does not inappropriately GET the page. Containers that POST will follow the 'happy path' coded in your doPost() methods. When you use a container that GETs, like Tomcat, then your workaround will work for those containers. > > Hayo Schmidt > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How do i handle session-timeout in an acceptable manner?
Shapira, Yoav schrieb: I have implemented this workaround: As for this workaround, why wouldn't it work with future tomcat versions? There's nothing tomcat-specific in it, much less tomcat 4.1.x-specific. Yoav Shapira A different servlet engine could use a POST instead of a GET to continue processing after form based login. Then my solution would not work. Hayo Schmidt - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: auto refresh pages and session timeout
Hi There, Please find attached. Basically I used a listener add the created session to a Vector. That session is also added to the timer task, along with a timeout period. The sessionInactivityMonitor is used as a session bean, the timer task is static. basically every timer a page request was received the controllers id is passed in along with the action. Hope this helps Thanks Pete -Original Message- From: Mark W. Webb [mailto:[EMAIL PROTECTED] Sent: 07 October 2003 14:49 To: Tomcat Users List Subject: Re: auto refresh pages and session timeout I would like to see the code. Thank you. Peter Guyatt wrote: >Hi There, > > I had a similar problem and basically started an internal timer that was >only reset if the page requested was not the same as the previous page. > >I could forward you the code if required. > >Thanks > >Pete > >-Original Message- >From: David Rees [mailto:[EMAIL PROTECTED] >Sent: 06 October 2003 21:51 >To: [EMAIL PROTECTED] >Subject: Re: auto refresh pages and session timeout > > >On Mon, October 6, 2003 1at 1:12 am, Mark W. Webb sent the following > > >>Is there a way to implement "" >> >> >tag in HTML and still have the ability to timeout a session after X >number of minutes ? Would there have to be some logic in place for the >servlet that changes the session timeout for every refresh? > >Changing the JSP to not use a session might work: > ><[EMAIL PROTECTED] session="false"%> > >-Dave > > > > >- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] > > >- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: auto refresh pages and session timeout
I would like to see the code. Thank you. Peter Guyatt wrote: Hi There, I had a similar problem and basically started an internal timer that was only reset if the page requested was not the same as the previous page. I could forward you the code if required. Thanks Pete -Original Message- From: David Rees [mailto:[EMAIL PROTECTED] Sent: 06 October 2003 21:51 To: [EMAIL PROTECTED] Subject: Re: auto refresh pages and session timeout On Mon, October 6, 2003 1at 1:12 am, Mark W. Webb sent the following Is there a way to implement "" tag in HTML and still have the ability to timeout a session after X number of minutes ? Would there have to be some logic in place for the servlet that changes the session timeout for every refresh? Changing the JSP to not use a session might work: <[EMAIL PROTECTED] session="false"%> -Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: auto refresh pages and session timeout
Hi There, I had a similar problem and basically started an internal timer that was only reset if the page requested was not the same as the previous page. I could forward you the code if required. Thanks Pete -Original Message- From: David Rees [mailto:[EMAIL PROTECTED] Sent: 06 October 2003 21:51 To: [EMAIL PROTECTED] Subject: Re: auto refresh pages and session timeout On Mon, October 6, 2003 1at 1:12 am, Mark W. Webb sent the following > Is there a way to implement "" tag in HTML and still have the ability to timeout a session after X number of minutes ? Would there have to be some logic in place for the servlet that changes the session timeout for every refresh? Changing the JSP to not use a session might work: <[EMAIL PROTECTED] session="false"%> -Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: auto refresh pages and session timeout
On Mon, October 6, 2003 1at 1:12 am, Mark W. Webb sent the following > Is there a way to implement "" tag in HTML and still have the ability to timeout a session after X number of minutes ? Would there have to be some logic in place for the servlet that changes the session timeout for every refresh? Changing the JSP to not use a session might work: <[EMAIL PROTECTED] session="false"%> -Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
auto refresh pages and session timeout
Is there a way to implement "" tag in HTML and still have the ability to timeout a session after X number of minutes ? Would there have to be some logic in place for the servlet that changes the session timeout for every refresh? thanks. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How do i handle session-timeout in an acceptable manner?
Howdy, >> The problem with your solution is, that the application does not know >> where to continue after the login page. This will result in an error. >If you want your login page to redirect you back to the page that the >user timed out on, then why don't you just add a hint to the login url >so that after the user has logged in, then your application will know >where to redirect them. That's what I was thinking as well. Not to mention that the login page itself can look at the referrer header. >> I have implemented this workaround: As for this workaround, why wouldn't it work with future tomcat versions? There's nothing tomcat-specific in it, much less tomcat 4.1.x-specific. Yoav Shapira This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How do i handle session-timeout in an acceptable manner?
> The problem with your solution is, that the application does not know
> where to continue after the login page. This will result in an error.
If you want your login page to redirect you back to the page that the
user timed out on, then why don't you just add a hint to the login url
so that after the user has logged in, then your application will know
where to redirect them.
>
> I have implemented this workaround:
>
> protected void doGet(
> HttpServletRequest httpServletRequest,
> HttpServletResponse httpServletResponse)
> throws ServletException, IOException {
>
> String reqURI = httpServletRequest.getRequestURI();
> if ((reqURI.indexOf("/actions/") != -1)) {
> // Calling of 'actions' via get is not allowed
> String referer = httpServletRequest.getHeader("referer");
> if ((referer != null) &&
> (referer.endsWith("/loginpage.jsp))) {
> // if this happens, we probably had a Time-Out
> RequestDispatcher dispatcher =
> getServletContext().getRequestDispatcher("/timeout_info.jsp");
>
> dispatcher.forward(httpServletRequest,
> httpServletResponse);
> } else {
> throw new ServletException("Action forbidden.");
> }
> } else {
> // Call shared, standard request processing code.
> processRequest(httpServletRequest, httpServletResponse);
> }
> }
>
> What it does: if there is a get call to an URL that should be
> called as
> post, and the referer is the login page, then forward the request to
> some kind of informational message.
>
> Of course there can't be any guarantee this works with coming
> versions
> of Tomcat. So i would like to have an general solution.
>
> Hayo Schmidt
>
> ---------
>
> Shapira, Yoav wrote:
>
> >Howdy,
> >Here's an idea: add an HTML META refresh tag to each page whose
> >redirect URL is the login page and whose timeout is the
> session timeout
> >less a few seconds. That way the user will get redirected
> to the login
> >page before the session timeout -- they won't be able to press the
> >submit button.
> >
> >Yoav Shapira
> >Millennium ChemInformatics
> >
> >
> >
> >
> >>-Original Message-
> >>From: Hayo Schmidt [mailto:[EMAIL PROTECTED]
> >>Sent: Wednesday, October 01, 2003 11:16 AM
> >>To: Tomcat Users List
> >>Subject: How do i handle session-timeout in an acceptable manner?
> >>
> >>I have a built a web application on Tomcat 4.1.18. The
> application is
> >>running with a HTTPS connection. session-timeout is configured and
> >>
> >>
> >works
> >
> >
> >>so far. But i am absolutely not satisfied with what happens when a
> >>timeout occurs. The web application is configured for form based
> >>authentication. When the connection has timed out, the user is
> >>presented the login page when he does his next action. And,
> all data
> >>saved with the session are lost. Fine - i could live with that.
> >>
> >>But what happens in a real case:
> >>- The user waits too long - timeout.
> >>- The user pushes an INPUT type="submit" and creates a POST
> operation.
> >>- Tomcat redirects to the login page.
> >>- The user logs in.
> >>- Tomcat redirects to the original aim of the post
> operation, but he
> >>does it as a GET operation. Alternative 1:
> >>- My application does not allow get operations at this place ==>
> >>Application Error.
> >>Alternative 2:
> >>- The application allows the vulnerable get operation, but
> the button
> >>that was pushed is not passed anymore ==> Application Error.
> >>
> >>Now what can i do? I must interfere the session timeout to do an
> >>operation. Or i should be able to detemine that the current
> request is
> >>the first after a timeout. The way my application currently
> crashes is
> >>not acceptable.
> >>
> >>Hayo Schmidt
> >>
> >>
> >>
> -
> >>To unsubscribe, e-mail: [EMAIL PROTECTED]
> >>For additional commands, e-mail: [EMAIL PROTECTED]
> >>
> >>
> >
> >
> >
> >
> >This e-mail, including any attachments, is a
Re: How do i handle session-timeout in an acceptable manner?
The problem with your solution is, that the application does not know
where to continue after the login page. This will result in an error.
I have implemented this workaround:
protected void doGet(
HttpServletRequest httpServletRequest,
HttpServletResponse httpServletResponse)
throws ServletException, IOException {
String reqURI = httpServletRequest.getRequestURI();
if ((reqURI.indexOf("/actions/") != -1)) {
// Calling of 'actions' via get is not allowed
String referer = httpServletRequest.getHeader("referer");
if ((referer != null) && (referer.endsWith("/loginpage.jsp))) {
// if this happens, we probably had a Time-Out
RequestDispatcher dispatcher =
getServletContext().getRequestDispatcher("/timeout_info.jsp");
dispatcher.forward(httpServletRequest, httpServletResponse);
} else {
throw new ServletException("Action forbidden.");
}
} else {
// Call shared, standard request processing code.
processRequest(httpServletRequest, httpServletResponse);
}
}
What it does: if there is a get call to an URL that should be called as
post, and the referer is the login page, then forward the request to
some kind of informational message.
Of course there can't be any guarantee this works with coming versions
of Tomcat. So i would like to have an general solution.
Hayo Schmidt
-
Shapira, Yoav wrote:
Howdy,
Here's an idea: add an HTML META refresh tag to each page whose redirect
URL is the login page and whose timeout is the session timeout less a
few seconds. That way the user will get redirected to the login page
before the session timeout -- they won't be able to press the submit
button.
Yoav Shapira
Millennium ChemInformatics
-Original Message-
From: Hayo Schmidt [mailto:[EMAIL PROTECTED]
Sent: Wednesday, October 01, 2003 11:16 AM
To: Tomcat Users List
Subject: How do i handle session-timeout in an acceptable manner?
I have a built a web application on Tomcat 4.1.18. The application is
running with a HTTPS connection. session-timeout is configured and
works
so far. But i am absolutely not satisfied with what happens when a
timeout occurs.
The web application is configured for form based authentication. When
the connection has timed out, the user is presented the login page when
he does his next action. And, all data saved with the session are lost.
Fine - i could live with that.
But what happens in a real case:
- The user waits too long - timeout.
- The user pushes an INPUT type="submit" and creates a POST operation.
- Tomcat redirects to the login page.
- The user logs in.
- Tomcat redirects to the original aim of the post operation, but he
does it as a GET operation.
Alternative 1:
- My application does not allow get operations at this place ==>
Application Error.
Alternative 2:
- The application allows the vulnerable get operation, but the button
that was pushed is not passed anymore ==> Application Error.
Now what can i do? I must interfere the session timeout to do an
operation. Or i should be able to detemine that the current request is
the first after a timeout. The way my application currently crashes is
not acceptable.
Hayo Schmidt
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: How do i handle session-timeout in an acceptable manner?
Howdy, Here's an idea: add an HTML META refresh tag to each page whose redirect URL is the login page and whose timeout is the session timeout less a few seconds. That way the user will get redirected to the login page before the session timeout -- they won't be able to press the submit button. Yoav Shapira Millennium ChemInformatics >-Original Message- >From: Hayo Schmidt [mailto:[EMAIL PROTECTED] >Sent: Wednesday, October 01, 2003 11:16 AM >To: Tomcat Users List >Subject: How do i handle session-timeout in an acceptable manner? > >I have a built a web application on Tomcat 4.1.18. The application is >running with a HTTPS connection. session-timeout is configured and works >so far. But i am absolutely not satisfied with what happens when a >timeout occurs. >The web application is configured for form based authentication. When >the connection has timed out, the user is presented the login page when >he does his next action. And, all data saved with the session are lost. >Fine - i could live with that. > >But what happens in a real case: >- The user waits too long - timeout. >- The user pushes an INPUT type="submit" and creates a POST operation. >- Tomcat redirects to the login page. >- The user logs in. >- Tomcat redirects to the original aim of the post operation, but he >does it as a GET operation. >Alternative 1: >- My application does not allow get operations at this place ==> >Application Error. >Alternative 2: >- The application allows the vulnerable get operation, but the button >that was pushed is not passed anymore ==> Application Error. > >Now what can i do? I must interfere the session timeout to do an >operation. Or i should be able to detemine that the current request is >the first after a timeout. The way my application currently crashes is >not acceptable. > >Hayo Schmidt > > >- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
How do i handle session-timeout in an acceptable manner?
I have a built a web application on Tomcat 4.1.18. The application is running with a HTTPS connection. session-timeout is configured and works so far. But i am absolutely not satisfied with what happens when a timeout occurs. The web application is configured for form based authentication. When the connection has timed out, the user is presented the login page when he does his next action. And, all data saved with the session are lost. Fine - i could live with that. But what happens in a real case: - The user waits too long - timeout. - The user pushes an INPUT type="submit" and creates a POST operation. - Tomcat redirects to the login page. - The user logs in. - Tomcat redirects to the original aim of the post operation, but he does it as a GET operation. Alternative 1: - My application does not allow get operations at this place ==> Application Error. Alternative 2: - The application allows the vulnerable get operation, but the button that was pushed is not passed anymore ==> Application Error. Now what can i do? I must interfere the session timeout to do an operation. Or i should be able to detemine that the current request is the first after a timeout. The way my application currently crashes is not acceptable. Hayo Schmidt - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Session Timeout
I'm looking at the 2.3 spec right now. SRV 7.5 does say that the timeout set by setMaxInactiveInterval() is for inactivity. However, that section doesn't address the parameter. It does say that the default is up to the container. In SRV.13.3, the defines the default timeout. However, the word "inactivity" is interestingly missing from this description. It also specifies the ability to set the system to never timeout if the value is set to 0 or less. None of this explains why my session timed out after ~30 minutes of continuous activity by default or with the parameter set to 5 minutes. I must really be missing something. Everything everybody has said is reasonable and matches my expectations. However, it does not appear to match my experiments. I'll try some more. Thanks, G. Wade "Shapira, Yoav" wrote: > > Howdy, > The servlet specification is the only authority on this, misleading > books should be tossed aside. SRV.7.5 is clear, session timeout is for > inactivity, not total duration, as Senor Curwen opined. > > The first part of his message, using $CATALINA_HOME/conf/web.xml, I > would discourage, as it's non-standard. Stick to WEB-INF/web.xml, which > is standard and therefore portable across containers. > > Yoav Shapira > Millennium ChemInformatics > > >-Original Message- > >From: Mike Curwen [mailto:[EMAIL PROTECTED] > >Sent: Friday, September 05, 2003 10:05 AM > >To: 'Tomcat Users List' > >Subject: RE: Session Timeout > > > >anything you set in WEB-INF/web.xml can be set in > >CATALINA_HOME/conf/web.xml and these setting will be used on a global > >basis, unless overriden at a lower level. > > > >FWIW, I've always understood session-timeout to mean "after a period of > >inactivity". I mean really... how useful would sessions be if they > >logged you out after n minutes, no matter your activity level? Talk > >about frustrating! "It doesn't matter that you've been using my site > >continuosly for the past 30 minutes, I'm still kicking you off". That > >sounds like 'session-duration' to me. > > > > > > > >> -Original Message- > >> From: G. Wade Johnson [mailto:[EMAIL PROTECTED] > >> Sent: Friday, September 05, 2003 8:45 AM > >> To: Tomcat Users List > >> Subject: Re: Session Timeout > >> > >> > >> I'm using Tomcat 4.1.18 & 4.1.24 (two different machines). > >> The behavior is the same on both. As I said in my other > >> message, I was basing my questions on the documentation I had > >> read. Your response made me do a little testing. Now, I'm > >> even more confused. > >> > >> My assumption was based on information in "Professional Java > >> Servlets 2.3" by Wrox. In chapter 5, they explicitly state > >> that the value applies to lifetime, not > >> inactivity, (p. 240). > >> > >> I also checked with > >> http://developer.java.sun.com/developer/Books/javaserverpages/ > >> servlets_javaserver/servlets_javaserver05.pdf > >> > >> Section 5.10 describes that parameter as well. It does seem > >> to imply that we are talking about inactivity timeouts, but > >> the text is not actually explicit. It could be read either way. > >> > >> For my test, I set the to 5 minutes. If > >> this was a lifetime thing, my session should expire pretty > >> quickly. If not, it would last forever. (My servlet is being > >> queried by an applet on a regular basis.) > >> > >> The session did not expire after 5 minutes. It expired after > >> 30 minutes, just like it did before I added the . > >> > >> Any help would be appreciated. > >> G. Wade > >> > >> PS. Since the is located in web.xml, I > >> assume it is webapp-specific. Is there any way to set up a > >> timeout on multiple webapps? (Short of making a change for > >> each webapp.) I'm currently using single-sign-on to bring a > >> couple of webapps together into one app from the user's point of > view. > >> > >> > >> > >> Filip Hanik wrote: > >> > > >> > >I just found out that sessions on my webapp are > >> automatically being > >> > >logged out after some period of time. Even when they are > >> being used. > >> > > >> > this should not be the case should be the > >> inactivity > >> > timeout what version of tomcat? > >> &g
Re: Session Timeout
That's actually why I was floored when my applet was kicked back to the login form after half an hours of continuous activity. Mike Curwen wrote: > > anything you set in WEB-INF/web.xml can be set in > CATALINA_HOME/conf/web.xml and these setting will be used on a global > basis, unless overriden at a lower level. > > FWIW, I've always understood session-timeout to mean "after a period of > inactivity". I mean really... how useful would sessions be if they > logged you out after n minutes, no matter your activity level? Talk > about frustrating! "It doesn't matter that you've been using my site > continuosly for the past 30 minutes, I'm still kicking you off". That > sounds like 'session-duration' to me. > > > > -Original Message- > > From: G. Wade Johnson [mailto:[EMAIL PROTECTED] > > Sent: Friday, September 05, 2003 8:45 AM > > To: Tomcat Users List > > Subject: Re: Session Timeout > > > > > > I'm using Tomcat 4.1.18 & 4.1.24 (two different machines). > > The behavior is the same on both. As I said in my other > > message, I was basing my questions on the documentation I had > > read. Your response made me do a little testing. Now, I'm > > even more confused. > > > > My assumption was based on information in "Professional Java > > Servlets 2.3" by Wrox. In chapter 5, they explicitly state > > that the value applies to lifetime, not > > inactivity, (p. 240). > > > > I also checked with > > http://developer.java.sun.com/developer/Books/javaserverpages/ > > servlets_javaserver/servlets_javaserver05.pdf > > > > Section 5.10 describes that parameter as well. It does seem > > to imply that we are talking about inactivity timeouts, but > > the text is not actually explicit. It could be read either way. > > > > For my test, I set the to 5 minutes. If > > this was a lifetime thing, my session should expire pretty > > quickly. If not, it would last forever. (My servlet is being > > queried by an applet on a regular basis.) > > > > The session did not expire after 5 minutes. It expired after > > 30 minutes, just like it did before I added the . > > > > Any help would be appreciated. > > G. Wade > > > > PS. Since the is located in web.xml, I > > assume it is webapp-specific. Is there any way to set up a > > timeout on multiple webapps? (Short of making a change for > > each webapp.) I'm currently using single-sign-on to bring a > > couple of webapps together into one app from the user's point of view. > > > > > > > > Filip Hanik wrote: > > > > > > >I just found out that sessions on my webapp are > > automatically being > > > >logged out after some period of time. Even when they are > > being used. > > > > > > this should not be the case should be the > > inactivity > > > timeout what version of tomcat? > > > Filip > > > > > > - Original Message - > > > From: "G. Wade Johnson" <[EMAIL PROTECTED]> > > > To: "Tomcat Users List" <[EMAIL PROTECTED]> > > > Sent: Thursday, September 04, 2003 2:36 PM > > > Subject: Session Timeout > > > > > > I've just been surprised by something that I thought I understood. > > > > > > I just found out that sessions on my webapp are automatically being > > > logged out after some period of time. Even when they are being used. > > > > > > >From reading the docs, it appears that the normal timeout > > behavior is > > > to terminate any session that has lived longer than n > > minutes. Is this > > > correct? > > > > > > Also there appears to be a element that > > allows you > > > to set the length of this timeout. > > > > > > However, if I am reading the documentation correctly, the > > only way to > > > set an "inactivity timeout" is programmatically? (I > > actually thought > > > the "session-timeout" was an "inactivity timeout".) > > > > > > How is the best way to go about adding this feature? Is the > > > HttpSessionListener interface the best way to go? > > > > > > Thanks, > > > G. Wade > > > > > > > > - > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > - > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Session Timeout
Howdy, The servlet specification is the only authority on this, misleading books should be tossed aside. SRV.7.5 is clear, session timeout is for inactivity, not total duration, as Senor Curwen opined. The first part of his message, using $CATALINA_HOME/conf/web.xml, I would discourage, as it's non-standard. Stick to WEB-INF/web.xml, which is standard and therefore portable across containers. Yoav Shapira Millennium ChemInformatics >-Original Message- >From: Mike Curwen [mailto:[EMAIL PROTECTED] >Sent: Friday, September 05, 2003 10:05 AM >To: 'Tomcat Users List' >Subject: RE: Session Timeout > >anything you set in WEB-INF/web.xml can be set in >CATALINA_HOME/conf/web.xml and these setting will be used on a global >basis, unless overriden at a lower level. > >FWIW, I've always understood session-timeout to mean "after a period of >inactivity". I mean really... how useful would sessions be if they >logged you out after n minutes, no matter your activity level? Talk >about frustrating! "It doesn't matter that you've been using my site >continuosly for the past 30 minutes, I'm still kicking you off". That >sounds like 'session-duration' to me. > > > >> -Original Message- >> From: G. Wade Johnson [mailto:[EMAIL PROTECTED] >> Sent: Friday, September 05, 2003 8:45 AM >> To: Tomcat Users List >> Subject: Re: Session Timeout >> >> >> I'm using Tomcat 4.1.18 & 4.1.24 (two different machines). >> The behavior is the same on both. As I said in my other >> message, I was basing my questions on the documentation I had >> read. Your response made me do a little testing. Now, I'm >> even more confused. >> >> My assumption was based on information in "Professional Java >> Servlets 2.3" by Wrox. In chapter 5, they explicitly state >> that the value applies to lifetime, not >> inactivity, (p. 240). >> >> I also checked with >> http://developer.java.sun.com/developer/Books/javaserverpages/ >> servlets_javaserver/servlets_javaserver05.pdf >> >> Section 5.10 describes that parameter as well. It does seem >> to imply that we are talking about inactivity timeouts, but >> the text is not actually explicit. It could be read either way. >> >> For my test, I set the to 5 minutes. If >> this was a lifetime thing, my session should expire pretty >> quickly. If not, it would last forever. (My servlet is being >> queried by an applet on a regular basis.) >> >> The session did not expire after 5 minutes. It expired after >> 30 minutes, just like it did before I added the . >> >> Any help would be appreciated. >> G. Wade >> >> PS. Since the is located in web.xml, I >> assume it is webapp-specific. Is there any way to set up a >> timeout on multiple webapps? (Short of making a change for >> each webapp.) I'm currently using single-sign-on to bring a >> couple of webapps together into one app from the user's point of view. >> >> >> >> Filip Hanik wrote: >> > >> > >I just found out that sessions on my webapp are >> automatically being >> > >logged out after some period of time. Even when they are >> being used. >> > >> > this should not be the case should be the >> inactivity >> > timeout what version of tomcat? >> > Filip >> > >> > - Original Message - >> > From: "G. Wade Johnson" <[EMAIL PROTECTED]> >> > To: "Tomcat Users List" <[EMAIL PROTECTED]> >> > Sent: Thursday, September 04, 2003 2:36 PM >> > Subject: Session Timeout >> > >> > I've just been surprised by something that I thought I understood. >> > >> > I just found out that sessions on my webapp are automatically being >> > logged out after some period of time. Even when they are being used. >> > >> > >From reading the docs, it appears that the normal timeout >> behavior is >> > to terminate any session that has lived longer than n >> minutes. Is this >> > correct? >> > >> > Also there appears to be a element that >> allows you >> > to set the length of this timeout. >> > >> > However, if I am reading the documentation correctly, the >> only way to >> > set an "inactivity timeout" is programmatically? (I >> actually thought >> > the "session-timeout" was an "inactivity timeout".) >> > >> > How is the best way to go abo
