You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2003/12/29 11:27:33 UTC
DO NOT REPLY [Bug 25792] New: -
Session timeout implemented incorrectly
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25792>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25792
Session timeout implemented incorrectly
Summary: Session timeout implemented incorrectly
Product: Tomcat 5
Version: 5.0.16
Platform: PC
OS/Version: Windows NT/2K
Status: NEW
Severity: Major
Priority: Other
Component: Catalina
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: ranlevy@yahoo.com
CC: ranlevy@yahoo.com
Sessions expire even if they are accessed within the specified timeout
interval. In our application it breaks application logic. I think that
bug report #20083 refers to this problem and offers a fix.
To reproduce: Use the two files SessionTimeoutBug.java and web.xml to create
and deploy the bug-reproduction webapp, than direct browser to
http://yourserver:8080/bug/SessionBugDemo, hit the URL on the page and wait for
timeouts. The "interval" context parameter in web.xml defines an activity
interval in seconds and is set to 120 (every 120 seconds the browser sends a
"get" request to the server). The "session-timeout" config parameter is set to
3 minutes. Setting "interval" to 60 or lower shows a situation where the bug
has no effect.
Actual result: The first refresh behaves correctly (as the 120-second
interval falls within the 3 minutes timeout period) and the resulting history
page shows that the session is alive. The second refresh causes start of a new
session, and the webapp start-page is displayed instead of the session history
page. When "interval" is set to 60, however, the history page is displayed
repeatedly, meaning that in this case the session never times out.
Expected result: that the session would never time out for any "interval" which
is lower or equal to "session-timeout" (in this example - any interval up to
180 seconds). The history page should continue to be displayed and evolve, and
the start-page should not be displayed after the demo app has begun.
I used the downloaded binaries of 5.0.16.
---------------------------- SessionTimeoutBug.java ----------------------
import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
import java.util.*;
public class SessionTimeoutBug extends HttpServlet {
private int interval = 0;
public void init (ServletConfig config) throws ServletException {
ServletContext context = config.getServletContext ();
String str = context.getInitParameter ("interval");
try {
if (str != null) {
interval = Integer.parseInt (str);
}
if (interval < 0) {
interval = 0;
}
} catch (NumberFormatException e) {
interval = 0; // no refresh
}
}
public void doGet (HttpServletRequest request, HttpServletResponse response)
throws IOException, ServletException {
HttpSession session = request.getSession (true);
String history = (String) session.getAttribute ("history");
String url = response.encodeURL (request.getRequestURI ());
if (history == null) {
genFirstPage (response, session, url);
} else {
genPage (response, session, url);
}
}
private void genFirstPage (HttpServletResponse response,
HttpSession session, String url)
throws IOException, ServletException {
session.setAttribute ("history", "");
PrintWriter out = response.getWriter ();
out.println ("<html>");
out.println ("<head>");
out.println ("<title>Session Timeout Bug Demonstration</title>");
out.println ("</head>");
out.println ("<body>");
out.println ("To start demo click <a href=\"" + url + "\">here</a>.");
out.println ("</body>");
out.println ("</html>");
out.close ();
}
private void genPage (HttpServletResponse response,
HttpSession session, String url)
throws IOException, ServletException {
String history = (String) session.getAttribute ("history");
history = history + "<BR>Time = " + (new Date ());
session.setAttribute ("history", history);
PrintWriter out = response.getWriter ();
out.println ("<html>");
out.println ("<head>");
out.println ("<title>Session Timeout Bug Demonstration</title>");
out.println ("<meta http-equiv=\"refresh\" content=\"" + interval + ";" +
url + "\">");
out.println ("</head>");
out.println ("<body>");
out.println ("<B>Refresh history: </B>" + history);
out.println ("<br>");
out.println ("<br><b>Session timeout is: </b>" +
session.getMaxInactiveInterval() + " seconds.");
out.println ("<br><b>Next refresh in: </b>" + interval + " seconds.");
out.println ("</body>");
out.println ("</html>");
out.close ();
}
}
---------------------------- web.xml ----------------------
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application
2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<!-- General Description of the web application -->
<display-name>
Session Timeout Bug Demonstration Web Application
</display-name>
<description>
Session Timeout Bug Demonstration Web Application
</description>
<!-- Context Parameters -->
<context-param>
<param-name>interval</param-name>
<param-value>120</param-value>
</context-param>
<!-- Servlet Definitions -->
<servlet>
<servlet-name>SessionTimeoutBugDemonstration</servlet-name>
<servlet-class>SessionTimeoutBug</servlet-class>
</servlet>
<!-- Servlet Mapping -->
<servlet-mapping>
<servlet-name>SessionTimeoutBugDemonstration</servlet-name>
<url-pattern>/SessionBugDemo</url-pattern>
</servlet-mapping>
<!-- Session Timeout Definition -->
<session-config>
<session-timeout>3</session-timeout>
</session-config>
</web-app>
------------------------------------ END ------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org