You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by BugRat Mail System <to...@cortexity.com> on 2000/09/08 06:56:57 UTC
BugRat Report #85 - Improper Session timeout - getLastAccessTime() not reset
Report #85 Details
Project: Tomcat
Category: Bug Report
SubCategory: New Bug Report
Class: swbug
State: received
Priority: high
Severity: critical
Confidence: public
Environment:
Release: 3.1
JVM Release: Sun JDK 1.3
Operating System: Windows NT Workstation
OS Release: 4.0
Platform: x86
Synopsis:
Improper Session timeout - getLastAccessTime() not reset
Description:
The inactive time of an user does not always get reset for all the requests made in a specific web application context.
This was verified by session.getLastAccessTime() method.
For instance for request#1, if session.getLastAccessTime() returned x, and if request#2 is made after x+n seconds, session.getAccessTime() does not reflect the x+n seconds, but returns x!
This causes the session to time out n seconds early.
Please note that 'n' is like 40 - 50 seconds.
The web site is a mixture of servlets / jsp pages using the model#2 architecture (servlet - bean - jsp using RequestDispatcher).