You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Urvish Shah <ur...@promise.com> on 2007/07/18 01:17:34 UTC

Session time out related question

Hi

 

In our application we are using Tomcat 5.5.9. Our tomcat session time
out is 30 minutes

 

We have one bottom html frame in our web page which automatically gets
refreshed every 10 seconds to poll some event notifications after user
logs in.

Because of this reason we never get session time out and user gets
logged in always. Only way we can make session time out work (and send
the user back to login page to login again) if we either increase our
page refresh interval (5 seconds to 5 minutes) or decrease the session
time out (default 30 minutes to 5 minutes) and both is not acceptable in
our design or in general web based design. 

 

 

Basically we want to have the Tomcat session time out based on user's
last access of any web page (after he logs in).

 

Is there any settings provided by Tomcat to handle this situation or we
need to write our custom code to such as

If (current time - user's last access time) > session timeout 

then redirect the user to login page

 

I would prefer if Tomcat has a smarter way to deal with this without us
writing our own custom code to deal with this situation

 

Any help on this topic is appreciated

 

Best regards,

Urvish

Re: Session time out related question

Posted by Christopher Schultz <ch...@christopherschultz.net>.

Urvish,

Urvish Shah wrote:
> In our application we are using Tomcat 5.5.9. Our tomcat session time
>  out is 30 minutes
> 
> We have one bottom html frame in our web page which automatically
> gets refreshed every 10 seconds to poll some event notifications
> after user logs in.

Hmm, that could be a problem.

> Because of this reason we never get session time out and user gets 
> logged in always.

Yup.

> Only way we can make session time out work (and send the user back to
> login page to login again) if we either increase our page refresh
> interval (5 seconds to 5 minutes) or decrease the session time out
> (default 30 minutes to 5 minutes) and both is not acceptable in our
> design or in general web based design.

Is it possible to deploy this event notification polling to a separate
webapp that does not require a session? If you can, then your polling
can hit a URL that won't interfere with the session from the "real" webapp.

Otherwise, you're out of luck... the request timeout was designed to
keep the session from being destroyed while in use. If you keep using it
every 10 seconds, it will simply never time out.

-chris