I was afraid I wasn't being specific enough - sorry. <session-config> <session-timeout>180</session-timeout> <cookie-config> <max-age> 10800 </max-age> </cookie-config> </session-config>
We do not want to use the default cookie max age of -1 for our session cookie. We would like for our session to persist across browser restart (I know this might be frowned upon but it’s a stepping stone towards the correct solution) - so in order to do so we set the max age of our session cookie to 3hours , the same as our timeout. While the jsessionid might not be changing for every request, the timeout is changing with every request. The max age of the cookie does not however change to reflect this information. Really what would be desirable for configuring the cookie would be something like the expires type configuration: access plus 3hrs. As I stated previously, we can fix this by just configuring our max age to be 24 hours, because ideally no one is going to perfectly keep their session alive on the server for that length of time. Hopefully this makes more sense now of what I'm after. -----Original Message----- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Wednesday, July 13, 2011 3:01 PM To: Tomcat Users List Subject: Re: Session cookie max age -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Josh, On 7/13/2011 2:14 PM, Josh Simmons wrote: > We tried to set the cookie max age to 3 hours, the exact same time as > our session timeout. So, this is a non-session cookie? > However, I was extremely surprised that the session cookie didn't get > updated on every request. Why should it? The information does not change with every request. > The cookie max age was set when the session was created and that was > it. Okay. > The end result is that our users who stay signed on for longer than > 3 hours now appear to get logged out. Is that because your non-session cookie is somehow expected to interact with the session cookie? If a user goes 3 hours without any activity, the session expires. JSESSIONID cookies are, by default, temporary cookies for the user agent (browser) and do not have an expiration date (that is, they expire when the browser shuts down). It's up to Tomcat to determine the expiration time of the actual HTTP session. > I'm curious about this functionality - why was the decision made to > not update the session cookie if a max age is set? We can effectively > get what we want by setting the max age to 24 hours, but that seems > like the wrong solution. Can you show your configuration and/or code that is relevant? - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4d62wACgkQ9CaO5/Lv0PAkPACfU5RRFYpswrZUk/vfEQqJfukL HBUAn1/xJVprK2PwBd6iEHobVrwMpi91 =NHfl -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org