-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Josh,
On 7/13/2011 2:14 PM, Josh Simmons wrote: > We tried to set the cookie max age to 3 hours, the exact same time as > our session timeout. So, this is a non-session cookie? > However, I was extremely surprised that the session cookie didn't > get updated on every request. Why should it? The information does not change with every request. > The cookie max age was set when the session was created and that was > it. Okay. > The end result is that our users who stay signed on for longer than > 3 hours now appear to get logged out. Is that because your non-session cookie is somehow expected to interact with the session cookie? If a user goes 3 hours without any activity, the session expires. JSESSIONID cookies are, by default, temporary cookies for the user agent (browser) and do not have an expiration date (that is, they expire when the browser shuts down). It's up to Tomcat to determine the expiration time of the actual HTTP session. > I'm curious about this functionality - why was the decision made to > not update the session cookie if a max age is set? We can > effectively get what we want by setting the max age to 24 hours, but > that seems like the wrong solution. Can you show your configuration and/or code that is relevant? - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4d62wACgkQ9CaO5/Lv0PAkPACfU5RRFYpswrZUk/vfEQqJfukL HBUAn1/xJVprK2PwBd6iEHobVrwMpi91 =NHfl -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
