You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "G. Wade Johnson" <wa...@abbnm.com> on 2003/09/04 23:36:29 UTC
Session Timeout
I've just been surprised by something that I thought I understood.
I just found out that sessions on my webapp are automatically being
logged out after some period of time. Even when they are being used.
Re: Session Timeout
Posted by "G. Wade Johnson" <wa...@abbnm.com>.
That's actually why I was floored when my applet was kicked back to the
login form after half an hours of continuous activity.
Mike Curwen wrote:
>
> anything you set in WEB-INF/web.xml can be set in
> CATALINA_HOME/conf/web.xml and these setting will be used on a global
> basis, unless overriden at a lower level.
>
> FWIW, I've always understood session-timeout to mean "after a period of
> inactivity". I mean really... how useful would sessions be if they
> logged you out after n minutes, no matter your activity level? Talk
> about frustrating! "It doesn't matter that you've been using my site
> continuosly for the past 30 minutes, I'm still kicking you off". That
> sounds like 'session-duration' to me.
>
>
> > -----Original Message-----
> > From: G. Wade Johnson [mailto:wade.johnson@abbnm.com]
> > Sent: Friday, September 05, 2003 8:45 AM
> > To: Tomcat Users List
> > Subject: Re: Session Timeout
> >
> >
> > I'm using Tomcat 4.1.18 & 4.1.24 (two different machines).
> > The behavior is the same on both. As I said in my other
> > message, I was basing my questions on the documentation I had
> > read. Your response made me do a little testing. Now, I'm
> > even more confused.
> >
> > My assumption was based on information in "Professional Java
> > Servlets 2.3" by Wrox. In chapter 5, they explicitly state
> > that the <session-timeout/> value applies to lifetime, not
> > inactivity, (p. 240).
> >
> > I also checked with
> > http://developer.java.sun.com/developer/Books/javaserverpages/
> > servlets_javaserver/servlets_javaserver05.pdf
> >
> > Section 5.10 describes that parameter as well. It does seem
> > to imply that we are talking about inactivity timeouts, but
> > the text is not actually explicit. It could be read either way.
> >
> > For my test, I set the <session-timeout/> to 5 minutes. If
> > this was a lifetime thing, my session should expire pretty
> > quickly. If not, it would last forever. (My servlet is being
> > queried by an applet on a regular basis.)
> >
> > The session did not expire after 5 minutes. It expired after
> > 30 minutes, just like it did before I added the <session-timeout/>.
> >
> > Any help would be appreciated.
> > G. Wade
> >
> > PS. Since the <session-timeout/> is located in web.xml, I
> > assume it is webapp-specific. Is there any way to set up a
> > timeout on multiple webapps? (Short of making a change for
> > each webapp.) I'm currently using single-sign-on to bring a
> > couple of webapps together into one app from the user's point of view.
> >
> >
> >
> > Filip Hanik wrote:
> > >
> > > >I just found out that sessions on my webapp are
> > automatically being
> > > >logged out after some period of time. Even when they are
> > being used.
> > >
> > > this should not be the case <session-timeout> should be the
> > inactivity
> > > timeout what version of tomcat?
> > > Filip
> > >
> > > ----- Original Message -----
> > > From: "G. Wade Johnson" <wa...@abbnm.com>
> > > To: "Tomcat Users List" <to...@jakarta.apache.org>
> > > Sent: Thursday, September 04, 2003 2:36 PM
> > > Subject: Session Timeout
> > >
> > > I've just been surprised by something that I thought I understood.
> > >
> > > I just found out that sessions on my webapp are automatically being
> > > logged out after some period of time. Even when they are being used.
> > >
> > > >From reading the docs, it appears that the normal timeout
> > behavior is
> > > to terminate any session that has lived longer than n
> > minutes. Is this
> > > correct?
> > >
> > > Also there appears to be a <session-timeout/> element that
> > allows you
> > > to set the length of this timeout.
> > >
> > > However, if I am reading the documentation correctly, the
> > only way to
> > > set an "inactivity timeout" is programmatically? (I
> > actually thought
> > > the "session-timeout" was an "inactivity timeout".<shrug/>)
> > >
> > > How is the best way to go about adding this feature? Is the
> > > HttpSessionListener interface the best way to go?
> > >
> > > Thanks,
> > > G. Wade
> > >
> > >
> > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > >
> > >
> > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
RE: Session Timeout
Posted by Mike Curwen <gb...@gb-im.com>.
anything you set in WEB-INF/web.xml can be set in
CATALINA_HOME/conf/web.xml and these setting will be used on a global
basis, unless overriden at a lower level.
FWIW, I've always understood session-timeout to mean "after a period of
inactivity". I mean really... how useful would sessions be if they
logged you out after n minutes, no matter your activity level? Talk
about frustrating! "It doesn't matter that you've been using my site
continuosly for the past 30 minutes, I'm still kicking you off". That
sounds like 'session-duration' to me.
> -----Original Message-----
> From: G. Wade Johnson [mailto:wade.johnson@abbnm.com]
> Sent: Friday, September 05, 2003 8:45 AM
> To: Tomcat Users List
> Subject: Re: Session Timeout
>
>
> I'm using Tomcat 4.1.18 & 4.1.24 (two different machines).
> The behavior is the same on both. As I said in my other
> message, I was basing my questions on the documentation I had
> read. Your response made me do a little testing. Now, I'm
> even more confused.
>
> My assumption was based on information in "Professional Java
> Servlets 2.3" by Wrox. In chapter 5, they explicitly state
> that the <session-timeout/> value applies to lifetime, not
> inactivity, (p. 240).
>
> I also checked with
> http://developer.java.sun.com/developer/Books/javaserverpages/
> servlets_javaserver/servlets_javaserver05.pdf
>
> Section 5.10 describes that parameter as well. It does seem
> to imply that we are talking about inactivity timeouts, but
> the text is not actually explicit. It could be read either way.
>
> For my test, I set the <session-timeout/> to 5 minutes. If
> this was a lifetime thing, my session should expire pretty
> quickly. If not, it would last forever. (My servlet is being
> queried by an applet on a regular basis.)
>
> The session did not expire after 5 minutes. It expired after
> 30 minutes, just like it did before I added the <session-timeout/>.
>
> Any help would be appreciated.
> G. Wade
>
> PS. Since the <session-timeout/> is located in web.xml, I
> assume it is webapp-specific. Is there any way to set up a
> timeout on multiple webapps? (Short of making a change for
> each webapp.) I'm currently using single-sign-on to bring a
> couple of webapps together into one app from the user's point of view.
>
>
>
> Filip Hanik wrote:
> >
> > >I just found out that sessions on my webapp are
> automatically being
> > >logged out after some period of time. Even when they are
> being used.
> >
> > this should not be the case <session-timeout> should be the
> inactivity
> > timeout what version of tomcat?
> > Filip
> >
> > ----- Original Message -----
> > From: "G. Wade Johnson" <wa...@abbnm.com>
> > To: "Tomcat Users List" <to...@jakarta.apache.org>
> > Sent: Thursday, September 04, 2003 2:36 PM
> > Subject: Session Timeout
> >
> > I've just been surprised by something that I thought I understood.
> >
> > I just found out that sessions on my webapp are automatically being
> > logged out after some period of time. Even when they are being used.
> >
> > >From reading the docs, it appears that the normal timeout
> behavior is
> > to terminate any session that has lived longer than n
> minutes. Is this
> > correct?
> >
> > Also there appears to be a <session-timeout/> element that
> allows you
> > to set the length of this timeout.
> >
> > However, if I am reading the documentation correctly, the
> only way to
> > set an "inactivity timeout" is programmatically? (I
> actually thought
> > the "session-timeout" was an "inactivity timeout".<shrug/>)
> >
> > How is the best way to go about adding this feature? Is the
> > HttpSessionListener interface the best way to go?
> >
> > Thanks,
> > G. Wade
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
Re: Session Timeout
Posted by "G. Wade Johnson" <wa...@abbnm.com>.
I'm using Tomcat 4.1.18 & 4.1.24 (two different machines). The behavior
is the same on both. As I said in my other message, I was basing my
questions on the documentation I had read. Your response made me do a
little testing. Now, I'm even more confused.
My assumption was based on information in "Professional Java Servlets
2.3" by Wrox. In chapter 5, they explicitly state that the
<session-timeout/> value applies to lifetime, not inactivity, (p. 240).
I also checked with
http://developer.java.sun.com/developer/Books/javaserverpages/servlets_javaserver/servlets_javaserver05.pdf
Section 5.10 describes that parameter as well. It does seem to imply
that we are talking about inactivity timeouts, but the text is not
actually explicit. It could be read either way.
For my test, I set the <session-timeout/> to 5 minutes. If this was a
lifetime thing, my session should expire pretty quickly. If not, it
would last forever. (My servlet is being queried by an applet on a
regular basis.)
The session did not expire after 5 minutes. It expired after 30 minutes,
just like it did before I added the <session-timeout/>.
Any help would be appreciated.
G. Wade
PS. Since the <session-timeout/> is located in web.xml, I assume it is
webapp-specific. Is there any way to set up a timeout on multiple
webapps? (Short of making a change for each webapp.) I'm currently
using single-sign-on to bring a couple of webapps together into one
app from the user's point of view.
Filip Hanik wrote:
>
> >I just found out that sessions on my webapp are automatically being
> >logged out after some period of time. Even when they are being used.
>
> this should not be the case <session-timeout> should be the inactivity
> timeout
> what version of tomcat?
> Filip
>
> ----- Original Message -----
> From: "G. Wade Johnson" <wa...@abbnm.com>
> To: "Tomcat Users List" <to...@jakarta.apache.org>
> Sent: Thursday, September 04, 2003 2:36 PM
> Subject: Session Timeout
>
> I've just been surprised by something that I thought I understood.
>
> I just found out that sessions on my webapp are automatically being
> logged out after some period of time. Even when they are being used.
>
> >From reading the docs, it appears that the normal timeout behavior is
> to terminate any session that has lived longer than n minutes. Is this
> correct?
>
> Also there appears to be a <session-timeout/> element that allows you
> to set the length of this timeout.
>
> However, if I am reading the documentation correctly, the only way to
> set an "inactivity timeout" is programmatically? (I actually thought
> the "session-timeout" was an "inactivity timeout".<shrug/>)
>
> How is the best way to go about adding this feature? Is the
> HttpSessionListener interface the best way to go?
>
> Thanks,
> G. Wade
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Session Timeout
Posted by Filip Hanik <ma...@filip.net>.
>I just found out that sessions on my webapp are automatically being
>logged out after some period of time. Even when they are being used.
this should not be the case <session-timeout> should be the inactivity
timeout
what version of tomcat?
Filip
----- Original Message -----
From: "G. Wade Johnson" <wa...@abbnm.com>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Thursday, September 04, 2003 2:36 PM
Subject: Session Timeout
I've just been surprised by something that I thought I understood.
I just found out that sessions on my webapp are automatically being
logged out after some period of time. Even when they are being used.