You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Gregor Schneider <rc...@googlemail.com> on 2007/07/18 15:20:34 UTC
Session timing out despite of user-actvity
Hi guys,
the following sympomps:
We have 2 Apache HTTPD-instances (SSL) behind a CISCO-loadbalancer,
the HTTPDs serving static content, dynamic content (servlets) are
served by 2 Tomcat instances (5.5).
HTTPD and Tomcat are linked via mod_jk 1.2.19
I've specified a session-timeout of 240 (8 hours) in
$catalina_home/web-inf/web.xml
Now although our servlets are accessed in bewteen those for hours, the
session times out after 4 hours.
Actually I understood, that after any user-action within those 4
hours, the session should be prolonged again for 4 hours, right or
wrong?
I've implemented a session-listern which logs creation and destruction
of the session.
Attached a sample of the logs:
2007-07-17 08:33:04,924 INFO [TP-Processor1]:
User added: xxx, SessionID:0C01237D58836AC6F89D1E6685885596
2007-07-17 12:33:37,643 INFO
[ContainerBackgroundProcessor[StandardEngine[Catalina]]]: User
removed: xxx, SessionID: 0C01237D58836AC6F89D1E6685885596
2007-07-17 12:46:47,104 INFO [TP-Processor1]:
User added: xxx, SessionID:0C01237D58836AC6F89D1E6685885596
2007-07-17 16:46:50,667 INFO
[ContainerBackgroundProcessor[StandardEngine[Catalina]]]: User
removed: xxx, SessionID: 338CE40CA019BF2C00B06E837652DEAC
As you can see, after 4 hours the user is removed since the
session-listener catches the destruction of the session.
However, my apache-HTTPD-access-logs for that very user "xxx" show me,
that she has accessed our servlets in between:
213.00.000.000 - xxx [17/Jul/2007:15:13:06 +0200] "GET
/mikroalbumin_im_urin.htm HTTP/1.0" 200 5127
"https://www.our-domain.com/OurServlet/OurServlet" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1)"
Now is this a bug, a feature or do I miss something here?
Note:
I've defined the SingleSignLogonValve in
$catalina_home/conf/server.xml as specified below:
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
Curiously awaiting your valued remarks... ;)
Cheers
Gregor
--
what's puzzlin' you, is the nature of my game
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available @ http://pgpkeys.pca.dfn.de:11371
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Session timing out despite of user-actvity
Posted by Gregor Schneider <rc...@googlemail.com>.
So sorry for all those typos, I was just in a rush...
Gregor
--
what's puzzlin' you, is the nature of my game
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available @ http://pgpkeys.pca.dfn.de:11371
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Session timing out despite of user-actvity
Posted by Gregor Schneider <rc...@googlemail.com>.
Hi Mikolaj,
the 2 cookies you're talking about are
JSessionID
and
JSessionIDSSO
However, JSessionID is sent for encrypted sessions only (https),
JSessionIDSSO for any type of connection.
The request-headers do show, for each request only JSessionIDSSO is
passed together with the response, not JSessionID.
OK, but what does that tell me?
The sequence for those two cookies is:
1. request to form-login (https): JSessionID is set
2. form-login is sent back by client, then HTTP302 to root of application:
JSessionID and JSessionIDSSO are sent back with the response
3. Any further request after authorization, only JSessionIDSSO is
passed together with either request / response.
However, I do not see what this could have to do with my pronlem.
My understanding is, that JSessionIDSSO replaces JSessionID once
authorization is ok and SingleSignLogonValve is specified.
Anyway, is somebody here in the list who has the
SingleSignOnLogonValve activated and can confirm that the session
prolongs after any user-activity?
Cheers
Gregor
--
what's puzzlin' you, is the nature of my game
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available @ http://pgpkeys.pca.dfn.de:11371
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Session timing out despite of user-actvity
Posted by Mikolaj Rydzewski <mi...@ceti.pl>.
Gregor Schneider wrote:
> I've defined the SingleSignLogonValve in
> $catalina_home/conf/server.xml as specified below:
I don't use SingleSignLogon often, but once I did I noticed, that there
were at least two session cookies set. It looked like a typical session
for application, and other session, just for single sign login. So maybe
this is your case? The other session terminates earlier?
--
Mikolaj Rydzewski <mi...@ceti.pl>