You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Gregor Schneider <rc...@googlemail.com> on 2006/08/24 21:19:45 UTC
Odd sesion-behaviour
Hi guys,
I've experienced an odd session-behaviour of Tomcat 5.0.28.
I'vesetz the overall session-timeout in /conf/web.xml to 1 minute (for
testing-purposes).
We do have a login-form (a jsp), which then calls j_security_check.
When the login-form is displayed, I'm wating for MORE than 1 minute,
and the session times out. I get a message saying "connection reset".
Ok, session's timed out, so I call the url again and enter my
login-data WITHIN this one minute.
No way - I STILL get this weird message, and only if I delete cookies
AND cache, I can proceed with my login-process.
I've tested this behaviour with Firefox, latest build (didn't want to
test it with IE since IE's caching and cookie-handling is an enigma to
me).
Now I've subclassed the FormAuthenticator amd copied the fille
authenticate()-method, and what I can se is the following:
Method FormAuthenticator.authenticate():
// No -- Save this request and redirect to the form login page
if (!loginAction) {
session = getSession(request, true);
// HERE I GET A VALID SESSION-OBJECT, I FIGURE THIS IS CALLED
// WHEN THE FORM-LOGIN-PAGE IS DISPLAYED
saveRequest(request, session);
RequestDispatcher disp =
context.getServletContext().getRequestDispatcher
(config.getLoginPage());
try {
disp.forward(hreq, hres);
response.finishResponse();
} catch (Throwable t) {
}
return (false);
}
[ ....]
// AND LATER ON I'M STUMBLING INTO HERE (AFTER THE SESSION HAS
// TIMED OUT SINCE THE USER HAS WAITED TOO LONG
if (session == null)
session = getSession(request, false);
if (session == null) {
/*
if (debug >=1)
log("User took so long to log on the session expired");
*/
hres.sendError(HttpServletResponse.SC_REQUEST_TIMEOUT,
sm.getString("authenticator.sessionExpired"));
return (false);
}
So far, so good, makes sense to me, BUT it's really, really od that I
have to delete cookies AND cache (just deleting cookies won't work) to
make a new login possible - otherwise I'm always getting the
"Connection resest"-error-message.
In front we run an Apache http-server 2.something, and the header are
configured to
cache-control:public, must-revalidate
in case of j_security_check or login-form:
cache-control: no-store
Now the big question: Is this a bug, a feature or do I miss something here?
Just imagine the normal office-procedure:
Your client enters the office, calls your site, the cutie from next
door comes in for a chat, he chats his 31 minutes, session is timed
out and this guy is not able to login to your app any more!
Suggestions, please
Cheers
Greg
--
what's puzzlin' you, is the nature of my game
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Odd sesion-behaviour
Posted by Gregor Schneider <rc...@googlemail.com>.
hi list,
ok, maybe my 1st story was a bit too long to catch the reader's
interest, no i'll try it with a shorter version:
when using an authenticated ssl-session with a formlogin (jsp), if the
session times out while the user is entering his login-data (i.e. the
user gets interrupted), tomcat just delivers a "connection reset" -
error-message
this is caused by the following line in tomcat-code (5.0.28):
hres.sendError(HttpServletResponse.SC_REQUEST_TIMEOUT,
Now what I want is, that in case of this timeout-message the user is
forwarded to my logon-page again, however, I haven't found any way to
do this except subclassing FormAuthenticator and write my own code,
which I'd like to avoid.
Now could anybody please point me into the right direction or tell me
what I'm missing here?
TIA
Greg
--
what's puzzlin' you, is the nature of my game
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org