You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Kenny G. Dubuisson, Jr." <kd...@kcmria.com> on 2002/12/18 16:30:05 UTC
Session timeout setting
I have a web site using JSP that, when the user logs in, sets a cookie with
the current session ID. Every page visited thereafter checks the current
session ID with the stored one in the cookie. I've found that the session
ID changes after 60 mins (which invalidates my user's session). Is there a
setting in Tomcat that controls the amount of session time before changing
the session ID? I want to increase it beyond 60 mins but I've yet to find
out how.
Thanks in advance,
Kenny
FYI: I'm using Tomcat 4.0.5 as my JSP/servlet server.
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Session timeout setting
Posted by Bill Barker <wb...@wilshire.com>.
You didn't mention which Tomcat version you are using, so I'm going to
assume 4.x.
You need to add (between <servlet-mapping>s and <mime-mappings>s):
<session-config>
<session-timout>${minutes}</session-timeout>
</session-config>
to conf/web.xml (where, of course, ${minutes} is replaced with the numerical
value of the number of minutes you want :). This will change the time-out
server-wide unless any web-app has a similar declaration.
Of course, this will work with all released versions of Tomcat (>= 3.2.x) if
you include it in your own web-app's web.xml file.
"Kenny G. Dubuisson, Jr." <kd...@kcmria.com> wrote in message
news:005401c2a6aa$56e75ed0$1901a8c0@site13...
> I have a web site using JSP that, when the user logs in, sets a cookie
with
> the current session ID. Every page visited thereafter checks the current
> session ID with the stored one in the cookie. I've found that the session
> ID changes after 60 mins (which invalidates my user's session). Is there
a
> setting in Tomcat that controls the amount of session time before changing
> the session ID? I want to increase it beyond 60 mins but I've yet to find
> out how.
>
> Thanks in advance,
> Kenny
>
> FYI: I'm using Tomcat 4.0.5 as my JSP/servlet server.
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Session timeout setting (URGENT)
Posted by "Kenny G. Dubuisson, Jr." <kd...@kcmria.com>.
Thanks for the response. Here is my questions?
> This is a standard configuration in the web.xml file, use:
>
> <session-config><session-timeout>60</session-timeout></session-config>
>
I checked my $CATALINA_HOME/conf/web.xml file and it currently has the
setting set to 30 mins. This says to me that this setting is not getting
used. I changed it to 120 and verified that 60 mins was still the default.
Any idea of why my web.xml is not getting used? I do not have an
application specific web.xml...the one in the conf directory is the only one
I have.
> Plus, check out the PersistentSessionManager, which can be used to get
> really long session timeouts by swapping idle sessions out to disk.
I read about this in the Tomcat docs but I'm not quite sure how to implement
this. Is there a simple howto on this that you know of?
Thanks,
Kenny
----- Original Message -----
From: "Kief Morris" <ki...@kief.com>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Friday, December 20, 2002 9:36 AM
Subject: Re: Session timeout setting (URGENT)
> Kenny G. Dubuisson, Jr. typed the following on 09:05 20/12/2002 -0600
> >Simple minded as I am, I still believe with everything I have that there
> >MUST be a setting in Tomcat that controls how often new session ID's are
> >generated.
>
> This is a standard configuration in the web.xml file, use:
>
> <session-config><session-timeout>60</session-timeout></session-config>
>
> Make sure it's in the right place inside the web.xml file,
> after servlet-mappings.
>
> You can also set it programmatically using
HttpSession.setMaxInactiveInterval(),
> which uses seconds rather than minutes.
>
> Plus, check out the PersistentSessionManager, which can be used to get
> really long session timeouts by swapping idle sessions out to disk.
>
> Kief
>
>
> --
> To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> For additional commands, e-mail:
<ma...@jakarta.apache.org>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Session timeout setting (URGENT)
Posted by Kief Morris <ki...@kief.com>.
Kenny G. Dubuisson, Jr. typed the following on 09:05 20/12/2002 -0600
>Simple minded as I am, I still believe with everything I have that there
>MUST be a setting in Tomcat that controls how often new session ID's are
>generated.
This is a standard configuration in the web.xml file, use:
<session-config><session-timeout>60</session-timeout></session-config>
Make sure it's in the right place inside the web.xml file,
after servlet-mappings.
You can also set it programmatically using HttpSession.setMaxInactiveInterval(),
which uses seconds rather than minutes.
Plus, check out the PersistentSessionManager, which can be used to get
really long session timeouts by swapping idle sessions out to disk.
Kief
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Session timeout setting (URGENT)
Posted by Jim Henderson <jg...@metafile.com>.
Mark, nice job! I have learned a thing or two from your note. When one (at
least this one) is in a hurry to put together an application, they often
gloss over important details. Thanks!
-----Original Message-----
From: Mark Eggers [mailto:its_toasted@yahoo.com]
Sent: Friday, December 20, 2002 11:38 AM
To: Tomcat Users List
Subject: Re: Session timeout setting (URGENT)
Ken,
Let me qualify this before giving you a possibility.
I have just started working with Tomcat as a
programmer (I'm mostly a system admin / integrator /
architect). And as another person on the mailing list
has pointed out, I am not a part of any apache.org
development team.
That said, I thought I would do a little bit of
research on your problem and try to help.
I'm using as a reference "Java Servlet Programming,
Second Edition" by Jason Hunter with William Crawford.
On pages 216-218, session timeout is discussed. It
appears that the following snippet of xml should be
placed in your web application web.xml file.
<session-config>
<session-timeout>
60
</session-timeout>
</session-config>
This sets the session timeout to 60 minutes. Before
going on, I noticed that the session timeout in the
Tomcat web.xml is set at 30 minutes (at least in my
installation of 4.1.12). So I am not sure where your
60 minute timeout is coming from.
The book also goes on to say that the session timeout
can be configured individually for a session with
getMaxInactiveInterval() and setMaxInactiveInterval().
The methods take (int) seconds as the argument, not
minutes.
Previous pages (212-216) talk about the session
tracking API and how to manage long term sessions.
The session tracking API section ends on page 229.
In short, there should be something useful in there
that can help you out of your problem.
I hope I've not been too pendantic and that this gives
you enough information to help you solve your problem.
/mde/
just my two cents . . . .
__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
--
To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
For additional commands, e-mail:
<ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Session timeout setting (URGENT)
Posted by Mark Eggers <it...@yahoo.com>.
Ken,
Let me qualify this before giving you a possibility.
I have just started working with Tomcat as a
programmer (I'm mostly a system admin / integrator /
architect). And as another person on the mailing list
has pointed out, I am not a part of any apache.org
development team.
That said, I thought I would do a little bit of
research on your problem and try to help.
I'm using as a reference "Java Servlet Programming,
Second Edition" by Jason Hunter with William Crawford.
On pages 216-218, session timeout is discussed. It
appears that the following snippet of xml should be
placed in your web application web.xml file.
<session-config>
<session-timeout>
60
</session-timeout>
</session-config>
This sets the session timeout to 60 minutes. Before
going on, I noticed that the session timeout in the
Tomcat web.xml is set at 30 minutes (at least in my
installation of 4.1.12). So I am not sure where your
60 minute timeout is coming from.
The book also goes on to say that the session timeout
can be configured individually for a session with
getMaxInactiveInterval() and setMaxInactiveInterval().
The methods take (int) seconds as the argument, not
minutes.
Previous pages (212-216) talk about the session
tracking API and how to manage long term sessions.
The session tracking API section ends on page 229.
In short, there should be something useful in there
that can help you out of your problem.
I hope I've not been too pendantic and that this gives
you enough information to help you solve your problem.
/mde/
just my two cents . . . .
__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Session timeout setting (URGENT)
Posted by Milt Epstein <me...@uiuc.edu>.
On Fri, 20 Dec 2002, Kenny G. Dubuisson, Jr. wrote:
> Simple minded as I am, I still believe with everything I have that
> there MUST be a setting in Tomcat that controls how often new
> session ID's are generated. If I have a simple page that does
> nothing but a "session.getId()" and it returns a new session ID
> every 60 mins, there must be something in Tomcat that sets this
> interval. Obviously this setting is missing from my config files so
> that Tomcat uses it's default. Has no one ever wanted to change
> this setting before? I hate to sound beligerent but I've authored
> and released what I feel to be a very nice application/web site but
> the only feedback I'm getting is litterally users screaming at me
> because I haven't fixed this yet. I'm going to have to start
> looking at redesigning the login/verification process on every page
> (not a big site but still 20K of code) to work around this issue
> when I feel it has to be a simple setting.
First of all, I couldn't tell from your description in your first
message in this thread the other day whether you're using your own
session cookie mechanism, or whether you're using the standard session
API mechanism. Could you clarify that? If you are using your own,
what you're seeing could be some artifact of that.
Otherwise, instead of assuming there is some simple setting to change,
I'd suggest taking a closer look at your own code, and how you're
using the built-in facilities, even posting the code here if you're
not sure, to see if the problem lies there. Several people have
already pointed out the standard mechanisms for handling session
timeouts, and I'm not sure there's anything else to say about that --
it looks like a dead end.
BTW, do you really have a page that just does session.getId() and
you're seeing this problem with that?
I'd also suggest you really verify that it is the regular session
timeout that is going on. You might be able to do that bu checking
the logs, or at worst, write your own SessionActivationListener (or
whatever it's called) to catch the session being deactivated and
record that.
Actually, if the session is being deactivated/renewed an hour after
it's created, regardless of activity, then it most likely is not the
standard session timeout that's causing it, because that's an *idle*
timeout, not a duration timeout.
In sum, I really think you need to do some more investigation into
what's going on, by checking logs and/or trying some things to see
what happens, etc., as opposed to looking for a quick fix. Sorry, but
that's generally the way things work.
Milt Epstein
Research Programmer
Integration and Software Engineering (ISE)
Campus Information Technologies and Educational Services (CITES)
University of Illinois at Urbana-Champaign (UIUC)
mepstein@uiuc.edu
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Session timeout setting (URGENT)
Posted by "Kenny G. Dubuisson, Jr." <kd...@kcmria.com>.
Simple minded as I am, I still believe with everything I have that there
MUST be a setting in Tomcat that controls how often new session ID's are
generated. If I have a simple page that does nothing but a
"session.getId()" and it returns a new session ID every 60 mins, there must
be something in Tomcat that sets this interval. Obviously this setting is
missing from my config files so that Tomcat uses it's default. Has no one
ever wanted to change this setting before? I hate to sound beligerent but
I've authored and released what I feel to be a very nice application/web
site but the only feedback I'm getting is litterally users screaming at me
because I haven't fixed this yet. I'm going to have to start looking at
redesigning the login/verification process on every page (not a big site but
still 20K of code) to work around this issue when I feel it has to be a
simple setting.
If someone could answer this I'll give you my first born, send expensive
Christmas presents, lend you my wife. Thanking / Praising you in advance,
Kenny
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Session timeout setting (Getting desperate)
Posted by "Kenny G. Dubuisson, Jr." <kd...@kcmria.com>.
Just for a test, I tried moving the web.xml file in the $CATALINA_HOME/conf
directory to my application's WEB-INF directory and set the session-timeout
setting to >60. Restarted Tomcat and then my application quit working
(wouldn't even load the first JSP page). Needless to say I removed the
web.xml file from my application and restarted Tomcat to get my app back
working.
Still no luck in fixing the default session timeout in Tomcat. Any ideas
whatsoever would be very much appreciated...I was supposed to have this
fixed yesterday and I'm totally out of ideas. Thanks,
Kenny
----- Original Message -----
From: "Kenny G. Dubuisson, Jr." <kd...@kcmria.com>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Thursday, December 19, 2002 11:25 AM
Subject: Re: Session timeout setting
> I'm running Tomcat 4.0.5. Hope this helps. Thanks,
> Kenny
>
> ----- Original Message -----
> From: "Fabio Mengue" <fa...@ccuec.unicamp.br>
> To: "Tomcat Users List" <to...@jakarta.apache.org>
> Sent: Thursday, December 19, 2002 11:13 AM
> Subject: Re: Session timeout setting
>
>
> > On Tomcat 4.0.x, you had a Manager property for this (in server.xml,
> > called |maxInactiveInterval|). Docs say **"The value for this property
> > is inherited automatically if you specify a |<session-timeout>| element
> > in the web application deployment descriptor (|/WEB-INF/web.xml|)."
> > (http://jakarta.apache.org/tomcat/tomcat-4.0-doc/config/manager.html)
> >
> > I just looked 4.1.x docs
> > (http://jakarta.apache.org/tomcat/tomcat-4.1-doc/config/manager.html)
> > and the property is gone :) What version are you using ? Perhaps now it
> > MUST be set on web.xml...
> >
> > I have a problem like yours. Development team will release an
> > application soon that will require users to have sessions that last more
> > that 1 hour; it's much much easier (for them) to just create a session
> > and configure Tomcat to hold it for a whole day. Scalability is not on
> > their minds, of course :)
> >
> > I think that has to be another way, something like Persistent Manager
> > Implementation.
> >
> > Anyone knows a better way to solve this problem ?
> >
> > Thanks a lot,
> >
> > F.
> >
> > Kenny G. Dubuisson, Jr. wrote:
> >
> > >Sorry to repost this but I'm kind of in a bind (got users about to
lynch
> me
> > >which may or may not be a bad thing). Anyway...session ID's on my site
> > >(using Tomcat) are getting regenerated after a user has been logged in
> for
> > >60 mins. I would like to change this to a higher value but don't know
> where
> > >to set it. I've read throught posts on this list and I've seen some
> things
> > >mention the web.xml file and its session-timeout setting but my web.xml
> > >session-timeout setting is currently set to 30 mins in that file so
that
> > >can't be the proper setting that I'm looking for.
> > >
> > >Any ideas would be greatly appreicated. My users are upset that they
> have
> > >to re-login evey hour on an application that they use all day. Thanks
in
> > >advance,
> > >Kenny
> > >
> > >
> > >--
> > >To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> > >For additional commands, e-mail:
> <ma...@jakarta.apache.org>
> > >
> > >
> > >
> > >
> >
> > --
> > Fabio Mengue - Centro de Computacao - Unicamp
> > fabio@ccuec.unicamp.br fabio@unicamp.br
> > ----------------------------------------------------------------
> > pi seconds is a nanocentury. - Tom Duff
> >
> >
> >
> > --
> > To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> > For additional commands, e-mail:
> <ma...@jakarta.apache.org>
> >
>
>
> --
> To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> For additional commands, e-mail:
<ma...@jakarta.apache.org>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Session timeout setting
Posted by "Kenny G. Dubuisson, Jr." <kd...@kcmria.com>.
I'm running Tomcat 4.0.5. Hope this helps. Thanks,
Kenny
----- Original Message -----
From: "Fabio Mengue" <fa...@ccuec.unicamp.br>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Thursday, December 19, 2002 11:13 AM
Subject: Re: Session timeout setting
> On Tomcat 4.0.x, you had a Manager property for this (in server.xml,
> called |maxInactiveInterval|). Docs say **"The value for this property
> is inherited automatically if you specify a |<session-timeout>| element
> in the web application deployment descriptor (|/WEB-INF/web.xml|)."
> (http://jakarta.apache.org/tomcat/tomcat-4.0-doc/config/manager.html)
>
> I just looked 4.1.x docs
> (http://jakarta.apache.org/tomcat/tomcat-4.1-doc/config/manager.html)
> and the property is gone :) What version are you using ? Perhaps now it
> MUST be set on web.xml...
>
> I have a problem like yours. Development team will release an
> application soon that will require users to have sessions that last more
> that 1 hour; it's much much easier (for them) to just create a session
> and configure Tomcat to hold it for a whole day. Scalability is not on
> their minds, of course :)
>
> I think that has to be another way, something like Persistent Manager
> Implementation.
>
> Anyone knows a better way to solve this problem ?
>
> Thanks a lot,
>
> F.
>
> Kenny G. Dubuisson, Jr. wrote:
>
> >Sorry to repost this but I'm kind of in a bind (got users about to lynch
me
> >which may or may not be a bad thing). Anyway...session ID's on my site
> >(using Tomcat) are getting regenerated after a user has been logged in
for
> >60 mins. I would like to change this to a higher value but don't know
where
> >to set it. I've read throught posts on this list and I've seen some
things
> >mention the web.xml file and its session-timeout setting but my web.xml
> >session-timeout setting is currently set to 30 mins in that file so that
> >can't be the proper setting that I'm looking for.
> >
> >Any ideas would be greatly appreicated. My users are upset that they
have
> >to re-login evey hour on an application that they use all day. Thanks in
> >advance,
> >Kenny
> >
> >
> >--
> >To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> >For additional commands, e-mail:
<ma...@jakarta.apache.org>
> >
> >
> >
> >
>
> --
> Fabio Mengue - Centro de Computacao - Unicamp
> fabio@ccuec.unicamp.br fabio@unicamp.br
> ----------------------------------------------------------------
> pi seconds is a nanocentury. - Tom Duff
>
>
>
> --
> To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> For additional commands, e-mail:
<ma...@jakarta.apache.org>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Session timeout setting
Posted by Fabio Mengue <fa...@ccuec.unicamp.br>.
On Tomcat 4.0.x, you had a Manager property for this (in server.xml,
called |maxInactiveInterval|). Docs say **"The value for this property
is inherited automatically if you specify a |<session-timeout>| element
in the web application deployment descriptor (|/WEB-INF/web.xml|)."
(http://jakarta.apache.org/tomcat/tomcat-4.0-doc/config/manager.html)
I just looked 4.1.x docs
(http://jakarta.apache.org/tomcat/tomcat-4.1-doc/config/manager.html)
and the property is gone :) What version are you using ? Perhaps now it
MUST be set on web.xml...
I have a problem like yours. Development team will release an
application soon that will require users to have sessions that last more
that 1 hour; it's much much easier (for them) to just create a session
and configure Tomcat to hold it for a whole day. Scalability is not on
their minds, of course :)
I think that has to be another way, something like Persistent Manager
Implementation.
Anyone knows a better way to solve this problem ?
Thanks a lot,
F.
Kenny G. Dubuisson, Jr. wrote:
>Sorry to repost this but I'm kind of in a bind (got users about to lynch me
>which may or may not be a bad thing). Anyway...session ID's on my site
>(using Tomcat) are getting regenerated after a user has been logged in for
>60 mins. I would like to change this to a higher value but don't know where
>to set it. I've read throught posts on this list and I've seen some things
>mention the web.xml file and its session-timeout setting but my web.xml
>session-timeout setting is currently set to 30 mins in that file so that
>can't be the proper setting that I'm looking for.
>
>Any ideas would be greatly appreicated. My users are upset that they have
>to re-login evey hour on an application that they use all day. Thanks in
>advance,
>Kenny
>
>
>--
>To unsubscribe, e-mail: <ma...@jakarta.apache.org>
>For additional commands, e-mail: <ma...@jakarta.apache.org>
>
>
>
>
--
Fabio Mengue - Centro de Computacao - Unicamp
fabio@ccuec.unicamp.br fabio@unicamp.br
----------------------------------------------------------------
pi seconds is a nanocentury. - Tom Duff
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Session timeout setting
Posted by "Kenny G. Dubuisson, Jr." <kd...@kcmria.com>.
Sorry to repost this but I'm kind of in a bind (got users about to lynch me
which may or may not be a bad thing). Anyway...session ID's on my site
(using Tomcat) are getting regenerated after a user has been logged in for
60 mins. I would like to change this to a higher value but don't know where
to set it. I've read throught posts on this list and I've seen some things
mention the web.xml file and its session-timeout setting but my web.xml
session-timeout setting is currently set to 30 mins in that file so that
can't be the proper setting that I'm looking for.
Any ideas would be greatly appreicated. My users are upset that they have
to re-login evey hour on an application that they use all day. Thanks in
advance,
Kenny
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>