You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jesse Barnum <js...@360works.com> on 2007/06/29 17:37:34 UTC
How do I set maxage on the JSESSIONID cookie?
I would like to have a session ID cookie that has a max age of 48
hours, so that if a user comes back to my site after closing their
browser, they will still have the same session on the server. How can
I configure Tomcat to set the max age of the session ID cookie to
anything other than -1?
--Jesse Barnum, President, 360Works
http://www.360works.com
(770) 234-9293
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [SOLVED] Re: How do I set maxage on the JSESSIONID cookie?
Posted by Jesse Barnum <js...@360works.com>.
I'm modifying the response by appending a session cookie whose maxAge
has been configured to a positive value. I'm writing it as a Filter
because 1) Eric suggested that (well, he suggested a Valve, but from
my limited understanding, it seems like a Filter does the same thing
and is not specific to Tomcat) and 2) it seems like this will make it
easy to to use with any other servlet app that I want.
--Jesse Barnum, President, 360Works
http://www.360works.com
(770) 234-9293
On Jun 29, 2007, at 7:32 PM, Martin Gainty wrote:
> Curious as to why you're writing a Filter
> Are you modifying Request Headers or the Request itself?
> Thx,
> M--
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [SOLVED] Re: How do I set maxage on the JSESSIONID cookie?
Posted by Martin Gainty <mg...@hotmail.com>.
Curious as to why you're writing a Filter
Are you modifying Request Headers or the Request itself?
Thx,
M--
This email message and any files transmitted with it contain confidential
information intended only for the person(s) to whom this email message is
addressed. If you have received this email message in error, please notify
the sender immediately by telephone or email and destroy the original
message without making a copy. Thank you.
----- Original Message -----
From: "Jesse Barnum" <js...@360works.com>
To: "Tomcat Users List" <us...@tomcat.apache.org>
Sent: Friday, June 29, 2007 7:05 PM
Subject: [SOLVED] Re: How do I set maxage on the JSESSIONID cookie?
> Eric, that worked - your code was very helpful, thanks. I wound up
> doing it as a Filter instead of a Valve, so that it would not be tied
> to Tomcat.
>
> Here is the code in case anybody else would find it useful:
>
> --Jesse Barnum, President, 360Works
> http://www.360works.com
> (770) 234-9293
>
>
>
> package com.prosc.servlet;
>
> import javax.servlet.*;
> import javax.servlet.http.*;
> import java.io.IOException;
>
> /**
> * This class will set the cookie maxAge to match the session timeout
> value. That way, a user who closes their browser and
> * re-enters the site will still have the same session if it has not
> timed out on the server.
> */
> public class SessionCookieExtender implements Filter {
> private static final String JSESSIONID = "JSESSIONID";
>
> public void init( FilterConfig config ) throws ServletException {}
>
> public void doFilter( ServletRequest _request, ServletResponse
> _response, FilterChain chain ) throws IOException, ServletException {
> if( _response instanceof HttpServletResponse ) {
> HttpServletRequest httpRequest = (HttpServletRequest)_request;
> HttpServletResponse httpResponse = (HttpServletResponse)_response;
>
> HttpSession session = httpRequest.getSession();
> if( session != null && session.getId() != null ) {
> Cookie sessionCookie = new Cookie( JSESSIONID, session.getId() );
> int sessionTimeoutSeconds = session.getMaxInactiveInterval();
> sessionCookie.setMaxAge( sessionTimeoutSeconds );
> sessionCookie.setPath( httpRequest.getContextPath() );
> httpResponse.addCookie( sessionCookie ); //FIX! This doesn't
> actually get rid of the other cookie, but it seems to work OK
> }
> }
> chain.doFilter( _request, _response );
> }
>
> public void destroy() {}
> }
>
>
>
> On Jun 29, 2007, at 2:50 PM, Eric Berry wrote:
>
>> You will probably have to write a valve for this. I had to write one
>> to set the session cookie's domain so that it's a site wide domain.
>>
>> I posted the code to this mailing list a while back. If you do a
>> search you should be able to find it, if not let me know I'll see if I
>> can get a hold of it.
>>
>> Eric
>>
>> On 6/29/07, Christopher Schultz <ch...@christopherschultz.net> wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> All,
>>>
>>> Jesse Barnum wrote:
>>> > Well, you can set the max age on a cookie to something > 0,
>>> which means
>>> > that it will persist for that amount of time, even if the user's
>>> browser
>>> > window is closed. I'm just trying to figure out if there is a
>>> way to
>>> > tell Tomcat to set that property on the cookies that it creates
>>> to store
>>> > the session ID's.
>>>
>>> You may have to do it manually (that is, grab the Cookie object
>>> from the
>>> response and force the maxage).
>>>
>>> On the other hand, the user's session is going to time out within
>>> that
>>> 48 hours, so what's the point of maintaining the JSESSIONID cookie
>>> past
>>> the browser-session?
>>>
>>> - -chris
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1.4.7 (MingW32)
>>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>>
>>> iD8DBQFGhUcu9CaO5/Lv0PARAjzeAJ9PAkO2n4InRn9s9KaoCTlZ6gogowCgipM2
>>> VibFQ3g7DvtU4ajdOcsOa94=
>>> =Jdtn
>>> -----END PGP SIGNATURE-----
>>>
>>> ---------------------------------------------------------------------
>>> To start a new topic, e-mail: users@tomcat.apache.org
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>
>>
>> --
>> Learn from the past. Live in the present. Plan for the future.
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
[SOLVED] Re: How do I set maxage on the JSESSIONID cookie?
Posted by Jesse Barnum <js...@360works.com>.
Eric, that worked - your code was very helpful, thanks. I wound up
doing it as a Filter instead of a Valve, so that it would not be tied
to Tomcat.
Here is the code in case anybody else would find it useful:
--Jesse Barnum, President, 360Works
http://www.360works.com
(770) 234-9293
package com.prosc.servlet;
import javax.servlet.*;
import javax.servlet.http.*;
import java.io.IOException;
/**
* This class will set the cookie maxAge to match the session timeout
value. That way, a user who closes their browser and
* re-enters the site will still have the same session if it has not
timed out on the server.
*/
public class SessionCookieExtender implements Filter {
private static final String JSESSIONID = "JSESSIONID";
public void init( FilterConfig config ) throws ServletException {}
public void doFilter( ServletRequest _request, ServletResponse
_response, FilterChain chain ) throws IOException, ServletException {
if( _response instanceof HttpServletResponse ) {
HttpServletRequest httpRequest = (HttpServletRequest)_request;
HttpServletResponse httpResponse = (HttpServletResponse)_response;
HttpSession session = httpRequest.getSession();
if( session != null && session.getId() != null ) {
Cookie sessionCookie = new Cookie( JSESSIONID, session.getId() );
int sessionTimeoutSeconds = session.getMaxInactiveInterval();
sessionCookie.setMaxAge( sessionTimeoutSeconds );
sessionCookie.setPath( httpRequest.getContextPath() );
httpResponse.addCookie( sessionCookie ); //FIX! This doesn't
actually get rid of the other cookie, but it seems to work OK
}
}
chain.doFilter( _request, _response );
}
public void destroy() {}
}
On Jun 29, 2007, at 2:50 PM, Eric Berry wrote:
> You will probably have to write a valve for this. I had to write one
> to set the session cookie's domain so that it's a site wide domain.
>
> I posted the code to this mailing list a while back. If you do a
> search you should be able to find it, if not let me know I'll see if I
> can get a hold of it.
>
> Eric
>
> On 6/29/07, Christopher Schultz <ch...@christopherschultz.net> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> All,
>>
>> Jesse Barnum wrote:
>> > Well, you can set the max age on a cookie to something > 0,
>> which means
>> > that it will persist for that amount of time, even if the user's
>> browser
>> > window is closed. I'm just trying to figure out if there is a
>> way to
>> > tell Tomcat to set that property on the cookies that it creates
>> to store
>> > the session ID's.
>>
>> You may have to do it manually (that is, grab the Cookie object
>> from the
>> response and force the maxage).
>>
>> On the other hand, the user's session is going to time out within
>> that
>> 48 hours, so what's the point of maintaining the JSESSIONID cookie
>> past
>> the browser-session?
>>
>> - -chris
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.7 (MingW32)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>
>> iD8DBQFGhUcu9CaO5/Lv0PARAjzeAJ9PAkO2n4InRn9s9KaoCTlZ6gogowCgipM2
>> VibFQ3g7DvtU4ajdOcsOa94=
>> =Jdtn
>> -----END PGP SIGNATURE-----
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
>
> --
> Learn from the past. Live in the present. Plan for the future.
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How do I set maxage on the JSESSIONID cookie?
Posted by Jesse Barnum <js...@360works.com>.
Eric, I found your code, so I'll try to modify it for my needs. I've
never written a valve before, so wish me luck!
Chris, this is an internal application which will not be accessed by
more than 7 people, so the server session timeout will be 48 hours.
The idea is for the application to be accessible only to these
certain people while minimizing the need for logins.
--Jesse Barnum, President, 360Works
http://www.360works.com
(770) 234-9293
On Jun 29, 2007, at 2:50 PM, Eric Berry wrote:
> You will probably have to write a valve for this. I had to write one
> to set the session cookie's domain so that it's a site wide domain.
>
> I posted the code to this mailing list a while back. If you do a
> search you should be able to find it, if not let me know I'll see if I
> can get a hold of it.
>
> Eric
>
> On 6/29/07, Christopher Schultz <ch...@christopherschultz.net> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> All,
>>
>> Jesse Barnum wrote:
>> > Well, you can set the max age on a cookie to something > 0,
>> which means
>> > that it will persist for that amount of time, even if the user's
>> browser
>> > window is closed. I'm just trying to figure out if there is a
>> way to
>> > tell Tomcat to set that property on the cookies that it creates
>> to store
>> > the session ID's.
>>
>> You may have to do it manually (that is, grab the Cookie object
>> from the
>> response and force the maxage).
>>
>> On the other hand, the user's session is going to time out within
>> that
>> 48 hours, so what's the point of maintaining the JSESSIONID cookie
>> past
>> the browser-session?
>>
>> - -chris
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.7 (MingW32)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>
>> iD8DBQFGhUcu9CaO5/Lv0PARAjzeAJ9PAkO2n4InRn9s9KaoCTlZ6gogowCgipM2
>> VibFQ3g7DvtU4ajdOcsOa94=
>> =Jdtn
>> -----END PGP SIGNATURE-----
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
>
> --
> Learn from the past. Live in the present. Plan for the future.
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How do I set maxage on the JSESSIONID cookie?
Posted by Eric Berry <el...@gmail.com>.
You will probably have to write a valve for this. I had to write one
to set the session cookie's domain so that it's a site wide domain.
I posted the code to this mailing list a while back. If you do a
search you should be able to find it, if not let me know I'll see if I
can get a hold of it.
Eric
On 6/29/07, Christopher Schultz <ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> All,
>
> Jesse Barnum wrote:
> > Well, you can set the max age on a cookie to something > 0, which means
> > that it will persist for that amount of time, even if the user's browser
> > window is closed. I'm just trying to figure out if there is a way to
> > tell Tomcat to set that property on the cookies that it creates to store
> > the session ID's.
>
> You may have to do it manually (that is, grab the Cookie object from the
> response and force the maxage).
>
> On the other hand, the user's session is going to time out within that
> 48 hours, so what's the point of maintaining the JSESSIONID cookie past
> the browser-session?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFGhUcu9CaO5/Lv0PARAjzeAJ9PAkO2n4InRn9s9KaoCTlZ6gogowCgipM2
> VibFQ3g7DvtU4ajdOcsOa94=
> =Jdtn
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
Learn from the past. Live in the present. Plan for the future.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How do I set maxage on the JSESSIONID cookie?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
All,
Jesse Barnum wrote:
> Well, you can set the max age on a cookie to something > 0, which means
> that it will persist for that amount of time, even if the user's browser
> window is closed. I'm just trying to figure out if there is a way to
> tell Tomcat to set that property on the cookies that it creates to store
> the session ID's.
You may have to do it manually (that is, grab the Cookie object from the
response and force the maxage).
On the other hand, the user's session is going to time out within that
48 hours, so what's the point of maintaining the JSESSIONID cookie past
the browser-session?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGhUcu9CaO5/Lv0PARAjzeAJ9PAkO2n4InRn9s9KaoCTlZ6gogowCgipM2
VibFQ3g7DvtU4ajdOcsOa94=
=Jdtn
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How do I set maxage on the JSESSIONID cookie?
Posted by Jesse Barnum <js...@360works.com>.
Well, you can set the max age on a cookie to something > 0, which
means that it will persist for that amount of time, even if the
user's browser window is closed. I'm just trying to figure out if
there is a way to tell Tomcat to set that property on the cookies
that it creates to store the session ID's. I don't think that there
is anything special about a 'session cookie' versus a 'regular cookie'
--Jesse Barnum, President, 360Works
http://www.360works.com
(770) 234-9293
On Jun 29, 2007, at 1:16 PM, Len Popp wrote:
> Doesn't the session cookie disappear when the user closes the browser?
> In browsers that I've used anyway, session cookies are not stored on
> disk like regular cookies, so the session is lost when the browser is
> closed.
> --
> Len
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How do I set maxage on the JSESSIONID cookie?
Posted by Len Popp <le...@gmail.com>.
Doesn't the session cookie disappear when the user closes the browser?
In browsers that I've used anyway, session cookies are not stored on
disk like regular cookies, so the session is lost when the browser is
closed.
--
Len
On 6/29/07, Jesse Barnum <js...@360works.com> wrote:
> I would like to have a session ID cookie that has a max age of 48
> hours, so that if a user comes back to my site after closing their
> browser, they will still have the same session on the server. How can
> I configure Tomcat to set the max age of the session ID cookie to
> anything other than -1?
>
> --Jesse Barnum, President, 360Works
> http://www.360works.com
> (770) 234-9293
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org