configure session timeout

[Erik de Hair <er...@pocos.nl>]

Hi,

How to configure the session timeout of the web app? I tried to set the session time out in web.xml and in shiro.ini but both have no effect. The cookie expires in a month...

My additional shiro-config (tried to let it expire in 1 minute):

[main]
...
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
# 3,600,000 milliseconds = 1 hour
sessionManager.globalSessionTimeout = 60000
securityManager.sessionManager = $sessionManager


Thanks,
Erik

RE: configure session timeout

[Erik de Hair <er...@pocos.nl>]

______________________________________
From: Dan Haywood [dan@haywood-associates.co.uk]
Sent: Friday, July 04, 2014 3:00 PM

> Martin just replied off-line to me, saying:

> Wicket's CookieDefaults is only for custom response cookie. The JSESSIONID
> cookie is not managed by Wicket at all.

The JSESSIONID-cookie indeed has expiration period of "Session" but I even don't loose my session after a day.

After login a cookie named "LoggedIn" is created. I've been searching for this key and found this in some Wicket authentication-class and from there I've found the CookieDefaults-class. Copying this class and changing the maxAge really is the only thing I did to configure cookie expiration (what does log me out after the expiration period indeed).

> The session timeout can be managed with with web.xml's session-timeout (in
> minutes) or via Servlet API -
> http://docs.oracle.com/javaee/5/api/javax/servlet/http/HttpSession.html#setMaxInactiveInterval(int)
> (in
> seconds).

I've set the session time out in web.xml but this didn't work. The expiration period for the "LoggedIn" cookie wasn't changed accordingly and my session was still there (or maybe it was restored by the LoggedIn cookie).

> HTH
> Dan




On 4 July 2014 08:58, Dan Haywood <da...@haywood-associates.co.uk> wrote:

> Thanks for exploring this further, Erik.
>
> I've just pinged Martin Grigorov, one of the Wicket committers, and who is
> good enough to keep a watching eye over other Apache projects (such as
> ours) that use Wicket.  I'm hoping he might be able to bring in a little
> illumination into this topic.
>
> Dan
>
>
>
> On 4 July 2014 08:03, Erik de Hair <er...@pocos.nl> wrote:
>
>> It looks like the session cookie is set by wicket. There's a class
>> "org.apache.wicket.util.cookies.CookieDefaults" that sets the expiration
>> maxAge to 30 days. I found no way to configure this (or tell wicket to use
>> my modified implementation) so I copied the class into the webapp and set
>> the maxAge to the required value (and that does the trick for now).
>>
>> I'll try to figure out:
>> - if it is possible to set the maxAge in Wicket runtime or by
>> configuration
>> - if Shiro is or can be involved in setting the cookie like in Dan's
>> example [1]
>>
>> Erik
>> ________________________________________
>> From: Dan Haywood [dan@haywood-associates.co.uk]
>> Sent: Thursday, July 03, 2014 11:52 AM
>> To: users
>> Subject: Re: configure session timeout
>>
>> Haven't played around with this myself, so can't advise.
>>
>> The Shiro mailing list might be a good place to ask.  A quick google on
>> StackOverflow also threw up [1], which might help
>>
>> Dan
>>
>> [1]
>>
>> http://stackoverflow.com/questions/17556787/shiro-resets-the-session-after-2-min
>>
>>
>>
>>
>> On 2 July 2014 11:29, Erik de Hair <er...@pocos.nl> wrote:
>>
>> > Hi,
>> >
>> > How to configure the session timeout of the web app? I tried to set the
>> > session time out in web.xml and in shiro.ini but both have no effect.
>> The
>> > cookie expires in a month...
>> >
>> > My additional shiro-config (tried to let it expire in 1 minute):
>> >
>> > [main]
>> > ...
>> > sessionManager =
>> org.apache.shiro.web.session.mgt.DefaultWebSessionManager
>> > # 3,600,000 milliseconds = 1 hour
>> > sessionManager.globalSessionTimeout = 60000
>> > securityManager.sessionManager = $sessionManager
>> >
>> >
>> > Thanks,
>> > Erik
>> >
>>
>
>

Re: configure session timeout

[Dan Haywood <da...@haywood-associates.co.uk>]

Martin just replied off-line to me, saying:

Wicket's CookieDefaults is only for custom response cookie. The JSESSIONID
cookie is not managed by Wicket at all.
The session timeout can be managed with with web.xml's session-timeout (in
minutes) or via Servlet API -
http://docs.oracle.com/javaee/5/api/javax/servlet/http/HttpSession.html#setMaxInactiveInterval(int)
(in
seconds).

HTH
Dan




On 4 July 2014 08:58, Dan Haywood <da...@haywood-associates.co.uk> wrote:

> Thanks for exploring this further, Erik.
>
> I've just pinged Martin Grigorov, one of the Wicket committers, and who is
> good enough to keep a watching eye over other Apache projects (such as
> ours) that use Wicket.  I'm hoping he might be able to bring in a little
> illumination into this topic.
>
> Dan
>
>
>
> On 4 July 2014 08:03, Erik de Hair <er...@pocos.nl> wrote:
>
>> It looks like the session cookie is set by wicket. There's a class
>> "org.apache.wicket.util.cookies.CookieDefaults" that sets the expiration
>> maxAge to 30 days. I found no way to configure this (or tell wicket to use
>> my modified implementation) so I copied the class into the webapp and set
>> the maxAge to the required value (and that does the trick for now).
>>
>> I'll try to figure out:
>> - if it is possible to set the maxAge in Wicket runtime or by
>> configuration
>> - if Shiro is or can be involved in setting the cookie like in Dan's
>> example [1]
>>
>> Erik
>> ________________________________________
>> From: Dan Haywood [dan@haywood-associates.co.uk]
>> Sent: Thursday, July 03, 2014 11:52 AM
>> To: users
>> Subject: Re: configure session timeout
>>
>> Haven't played around with this myself, so can't advise.
>>
>> The Shiro mailing list might be a good place to ask.  A quick google on
>> StackOverflow also threw up [1], which might help
>>
>> Dan
>>
>> [1]
>>
>> http://stackoverflow.com/questions/17556787/shiro-resets-the-session-after-2-min
>>
>>
>>
>>
>> On 2 July 2014 11:29, Erik de Hair <er...@pocos.nl> wrote:
>>
>> > Hi,
>> >
>> > How to configure the session timeout of the web app? I tried to set the
>> > session time out in web.xml and in shiro.ini but both have no effect.
>> The
>> > cookie expires in a month...
>> >
>> > My additional shiro-config (tried to let it expire in 1 minute):
>> >
>> > [main]
>> > ...
>> > sessionManager =
>> org.apache.shiro.web.session.mgt.DefaultWebSessionManager
>> > # 3,600,000 milliseconds = 1 hour
>> > sessionManager.globalSessionTimeout = 60000
>> > securityManager.sessionManager = $sessionManager
>> >
>> >
>> > Thanks,
>> > Erik
>> >
>>
>
>

Re: configure session timeout

[David Tildesley <da...@yahoo.co.nz>]

Hi Erik,

I had similar problems though I can't remember the exact detail when I wanted to use the shiro web session and related cookie. Order matters in the shiro.ini [1] . In that post [1], there are further references to documentation.

Regards,
David.

[1] http://stackoverflow.com/questions/17556787/shiro-resets-the-session-after-2-min



On Friday, 4 July 2014 7:59 PM, Dan Haywood <da...@haywood-associates.co.uk> wrote:
 


Thanks for exploring this further, Erik.

I've just pinged Martin Grigorov, one of the Wicket committers, and who is
good enough to keep a watching eye over other Apache projects (such as
ours) that use Wicket.  I'm hoping he might be able to bring in a little
illumination into this topic.

Dan




On 4 July 2014 08:03, Erik de Hair <er...@pocos.nl> wrote:

> It looks like the session cookie is set by wicket. There's a class
> "org.apache.wicket.util.cookies.CookieDefaults" that sets the expiration
> maxAge to 30 days. I found no way to configure this (or tell wicket to use
> my modified implementation) so I copied the class into the webapp and set
> the maxAge to the required value (and that does the trick for now).
>
> I'll try to figure out:
> - if it is possible to set the maxAge in Wicket runtime or by configuration
> - if Shiro is or can be involved in setting the cookie like in Dan's
> example [1]
>
> Erik
> ________________________________________
> From: Dan Haywood [dan@haywood-associates.co.uk]
> Sent: Thursday, July 03, 2014 11:52 AM
> To: users
> Subject: Re: configure session timeout
>
> Haven't played around with this myself, so can't advise.
>
> The Shiro mailing list might be a good place to ask.  A quick google on
> StackOverflow also threw up [1], which might help
>
> Dan
>
> [1]
>
> http://stackoverflow.com/questions/17556787/shiro-resets-the-session-after-2-min
>
>
>
>
> On 2 July 2014 11:29, Erik de Hair <er...@pocos.nl> wrote:
>
> > Hi,
> >
> > How to configure the session timeout of the web app? I tried to set the
> > session time out in web.xml and in shiro.ini but both have no effect. The
> > cookie expires in a month...
> >
> > My additional shiro-config (tried to let it expire in 1 minute):
> >
> > [main]
> > ...
> > sessionManager =
> org.apache.shiro.web.session.mgt.DefaultWebSessionManager
> > # 3,600,000 milliseconds = 1 hour
> > sessionManager.globalSessionTimeout = 60000
> > securityManager.sessionManager = $sessionManager
> >
> >
> > Thanks,
> > Erik
> >
>

Re: configure session timeout

[Dan Haywood <da...@haywood-associates.co.uk>]

Thanks for exploring this further, Erik.

I've just pinged Martin Grigorov, one of the Wicket committers, and who is
good enough to keep a watching eye over other Apache projects (such as
ours) that use Wicket.  I'm hoping he might be able to bring in a little
illumination into this topic.

Dan



On 4 July 2014 08:03, Erik de Hair <er...@pocos.nl> wrote:

> It looks like the session cookie is set by wicket. There's a class
> "org.apache.wicket.util.cookies.CookieDefaults" that sets the expiration
> maxAge to 30 days. I found no way to configure this (or tell wicket to use
> my modified implementation) so I copied the class into the webapp and set
> the maxAge to the required value (and that does the trick for now).
>
> I'll try to figure out:
> - if it is possible to set the maxAge in Wicket runtime or by configuration
> - if Shiro is or can be involved in setting the cookie like in Dan's
> example [1]
>
> Erik
> ________________________________________
> From: Dan Haywood [dan@haywood-associates.co.uk]
> Sent: Thursday, July 03, 2014 11:52 AM
> To: users
> Subject: Re: configure session timeout
>
> Haven't played around with this myself, so can't advise.
>
> The Shiro mailing list might be a good place to ask.  A quick google on
> StackOverflow also threw up [1], which might help
>
> Dan
>
> [1]
>
> http://stackoverflow.com/questions/17556787/shiro-resets-the-session-after-2-min
>
>
>
>
> On 2 July 2014 11:29, Erik de Hair <er...@pocos.nl> wrote:
>
> > Hi,
> >
> > How to configure the session timeout of the web app? I tried to set the
> > session time out in web.xml and in shiro.ini but both have no effect. The
> > cookie expires in a month...
> >
> > My additional shiro-config (tried to let it expire in 1 minute):
> >
> > [main]
> > ...
> > sessionManager =
> org.apache.shiro.web.session.mgt.DefaultWebSessionManager
> > # 3,600,000 milliseconds = 1 hour
> > sessionManager.globalSessionTimeout = 60000
> > securityManager.sessionManager = $sessionManager
> >
> >
> > Thanks,
> > Erik
> >
>

RE: configure session timeout

[Erik de Hair <er...@pocos.nl>]

It looks like the session cookie is set by wicket. There's a class "org.apache.wicket.util.cookies.CookieDefaults" that sets the expiration maxAge to 30 days. I found no way to configure this (or tell wicket to use my modified implementation) so I copied the class into the webapp and set the maxAge to the required value (and that does the trick for now).

I'll try to figure out:
- if it is possible to set the maxAge in Wicket runtime or by configuration
- if Shiro is or can be involved in setting the cookie like in Dan's example [1]

Erik
________________________________________
From: Dan Haywood [dan@haywood-associates.co.uk]
Sent: Thursday, July 03, 2014 11:52 AM
To: users
Subject: Re: configure session timeout

Haven't played around with this myself, so can't advise.

The Shiro mailing list might be a good place to ask.  A quick google on
StackOverflow also threw up [1], which might help

Dan

[1]
http://stackoverflow.com/questions/17556787/shiro-resets-the-session-after-2-min




On 2 July 2014 11:29, Erik de Hair <er...@pocos.nl> wrote:

> Hi,
>
> How to configure the session timeout of the web app? I tried to set the
> session time out in web.xml and in shiro.ini but both have no effect. The
> cookie expires in a month...
>
> My additional shiro-config (tried to let it expire in 1 minute):
>
> [main]
> ...
> sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
> # 3,600,000 milliseconds = 1 hour
> sessionManager.globalSessionTimeout = 60000
> securityManager.sessionManager = $sessionManager
>
>
> Thanks,
> Erik
>

Re: configure session timeout

[Dan Haywood <da...@haywood-associates.co.uk>]

Haven't played around with this myself, so can't advise.

The Shiro mailing list might be a good place to ask.  A quick google on
StackOverflow also threw up [1], which might help

Dan

[1]
http://stackoverflow.com/questions/17556787/shiro-resets-the-session-after-2-min




On 2 July 2014 11:29, Erik de Hair <er...@pocos.nl> wrote:

> Hi,
>
> How to configure the session timeout of the web app? I tried to set the
> session time out in web.xml and in shiro.ini but both have no effect. The
> cookie expires in a month...
>
> My additional shiro-config (tried to let it expire in 1 minute):
>
> [main]
> ...
> sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
> # 3,600,000 milliseconds = 1 hour
> sessionManager.globalSessionTimeout = 60000
> securityManager.sessionManager = $sessionManager
>
>
> Thanks,
> Erik
>

Re: configure session timeout

["davotnz@yahoo.co.nz" <da...@yahoo.co.nz>]

>From memory I think shiro.ini is sensitive to section. I.e the cookie session stuff needs to go in the correct section. Might be wrong. Also if it is longer than http session timeout .... user experience impacted.

David.

Sent from Yahoo Mail on Android