A couple of issues:
We've set our session expiration to 12 hours (I know it's long) and
we're seeing behavior where certain browsers (namely IE) apparently
can't count that high (we set the meta Refresh header but the page
doesn't reload after the allotted time, session expiration time + 20
minutes).
Since this issue was discovered, we've added background AJAX timers on
some of our web pages that refresh (authenticated) content. While this
happily works, unfortunately, if the user chooses to remain on one of
these pages, and then goes on vacation, the session stays active because
the AJAX calls keep the session alive.
Our first attempt at a solution was to have a JavaScript counter that,
after every 20 minutes, incremented a counter and if that counter ever
got to 37, we knew that the user hadn't changed web pages and we could
log them out (window.location = <logout URL>. The problem is that this
doesn't appear to work either and additionally, it relies on JavaScript
bypassing Tomcat's built-in features. User's cannot log in w/o having
JavaScript enabled, so it's not a matter of a user potentially disabling
it, rather it puts the onus on the browser to inform the server that the
user's session needs to be expired.
Does anyone have experience in this area and if so, how have you solved
this problem? I know Google uses AJAX with their Gmail webapp, but they
don't seem to care about not expiring the user's session. Any help
would be appreciated.
Thanks,
--adam
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
