-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Chris,
On 3/18/14, 7:31 AM, chris derham wrote: >> It is not feasible to determine the difference between a >> timed-out session and a user who had no session to begin with. > > Couldn't you use the presence/absence of a session id cookie? Not really. What's the difference between a JSESSIONID being there 2 minutes after a /true/ session time-out versus one that the client is sending 30 days after the session time out? There are so many reasons that the client and server can get out of sync with (non-stored, as is the default) cookies that you really can't make any real guesses about the true state of the world. All you know is that a client-requested session id does match a currently-valid session. Remember that you can't trust anything that the client sends you, really. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTKFDkAAoJEBzwKT+lPKRYLFgQAI3FNdNfzBr2THuHCZAi4dfh 7JdMEQh8QJGXyPOAYirnhJIiiS2aoGhjHMwq8h6FLj+Jfd84pFUYHQytGww0rSqS bqZxQbaEePNT58AHqzKwzl+NfNDTac6A978mtXJJ9OpPgxVzexkHjGoP1b/yDtFI CL1PRudg+yO1IbNHSKsSqADoVv+sMR2YuiXB4+0HaHIXGGORbQoAFBeiChHcsAzX JXskHUicFzs6oemlAtttc44seCuDwx8mDcKnid0Ad8P2vgtWxKvu6cvYEPWOuEYU asptvvUNipcfaMU+d3fgaWAj184EXL8jO0krmbT/gPNW1C39WNGBXfvEZiNfNrwk CeH3foQT19uNG+OGTlUZc/eR64g7vMWY4caxLJUm3fXi2Z4PZeFPE5nYoDuKHn6L tF2hyyp8pLxbeCC6vkqh3oBElz/LdgCSSyz314HIC/OO5z6T9FzMWT+HtzVLOkFA 5wCkHswh1OED083Q2ysaGVtbg3A39hYWDN3MxfIpmFZB1kFyZopStvqf5dlBwukH m/6+iuwAdj/aMvhcmk8EJ6NcC0hGw+Jp71/pe0QsBx9uV9FhaC4Nkf50qpB/bGtn mEmOSEHHKRmEaOpQswIv1IfRaUOCCmLA9rCT8osmxzfaWc7ddMKS/GS7rWTKLNZh MxERN0TUbkdnjJv1ngfL =Jzjq -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org