Thanks to Mark and Chris for all suggestions. I thing that a will follow th Chris suggestion to re-architect my session.
I was attracted by this piece of code in Re: Tomcat Realm Auto-Relogin after Session-Timeout Problem lynckmeister Wed, 11 Feb 2009 06:32:43 -0800 public class SessionTimeoutFilter implements Filter { private final Log logger = LogFactory.getLog(SessionTimeoutFilter.class); private String timeoutPage = "timeout.html"; public void init(FilterConfig filterConfig) throws ServletException { } public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException { if ((request instanceof HttpServletRequest) && (response instanceof HttpServletResponse)) { HttpServletRequest httpServletRequest = (HttpServletRequest) request; HttpServletResponse httpServletResponse = (HttpServletResponse) response; // is session expired control required for this request? if (isSessionControlRequiredForThisResource(httpServletRequest)) { String requestedID = httpServletRequest.getRequestedSessionId(); // is session invalid? HttpSession session = httpServletRequest.getSession(); String sID = session.getId(); String nochmalID = httpServletRequest.getQueryString(); // ok this is allways false , means the session is allways valid. sure it is, but its a new one ! boolean isSessionInValid = (requestedID != null)&& !httpServletRequest.isRequestedSessionIdValid(); Object testObject = session.getAttribute("ISVALID"); // here I tried some things... the isSessionInValid flag doesnt help b/c the session is allways valid // the testObject is allways null b/c if the user comes from the loginpage the user is not set in the first time // with the code like this, we're allways redirected in an constant loop. // besides that I think redirection is not the right way to handle , I mean, // i feel the right solution would recognize that the session is not in a proper state and than // delete the request wich allways causes in that crash. but how? and wich restored information exactly is the wrong one ? if (testObject == null /*&& isSessionInValid*/ ) { String timeoutUrl = httpServletRequest.getContextPath() + "/" + getTimeoutPage(); logger .info("session is invalid! redirecting to timeoutpage : " + timeoutUrl); and in particular: String requestedID = httpServletRequest.getRequestedSessionId(); HttpSession session = httpServletRequest.getSession(); String sID = session.getId(); so i thought that was possible to 'trigger' a re-logon after timeout plus the reference of both expired session (requestedID) and new session (sID); if there was a way to copy some attributes from the old session to the new one i solved my problem. But seems to me that the old session non more exists at this point of the request flow. Is this true? Alberto. -- View this message in context: http://www.nabble.com/Re%3A-Tomcat-Realm-Auto-Relogin-after-Session-Timeout-Problem-tp25479941p25507329.html Sent from the Tomcat - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org