Re: MaxInactiveInterval
On 06/11/2016 11:24, André Warnier (tomcat) wrote: > On 04.11.2016 20:06, Mark Thomas wrote: >> I did say "patches welcome" to André but since he is a committer that >> should have been "commits welcome" ;) >> > > Guys, you all know my level of (in)competence in matters deeply Java. You might be surprised at just how little Java I knew when I was made a committer. > I got my kudos by trying to help people in a general sense here, but > when things seem to involve specific parts deep down the Tomcat code, I > have to call for help. As always, happy to provide pointers. This should end up as a docs fix which I'd encourage you to consider tackling yourself. > What I know is this, from the Servlet Specs 3.0 final : > > quote > > 12. session-config Element > > The session-config defines the session parameters for this Web application. > The sub-element *session-timeout* defines the default session time out > interval > for all sessions created in this Web application. The specified time out > must be > expressed in a whole number of minutes. If the time out is 0 or less, > the container > ensures the default behavior of sessions is never to time out. If this > element is not > specified, the container must set its default time out period. > > unquote > > So it appears that there is a difference between : > - the WEB-INF/web.xml of a webapp specifying a session-timeout > 0, in > minutes > - the WEB-INF/web.xml of a webapp specifying a session-timeout =< 0 > (meaning, no timeout or "infinite") > - the WEB-INF/web.xml of a webapp not specifying a session-timeout > (container should supply a default value) > > Which thus raises the question : if a web application does not set the > session-timeout, what value is returned by Tomcat for > getMaxInactiveInterval() ? > > And the auxiliary question : can this (default) value be set somewhere > in the configuration, or is this set in code ? > > (Or is that the one that is set in (tomcat)/conf/web.xml : > > 30 > > ?) You are correct. The value from conf/web.xml provides the default if the application's web.xml does not provide one. > (and what happens if we remove that stanza from conf/web.xml ?) There is a hard-coded default of 30 minutes (i.e. the same as the explicit default in conf/web.xml) in o.a.catalina.core.StandardConetxt. All of the above assumes that the standard components are being used. Custom session managers, session implementations and/or Contexts could all modify this behaviour. To add to the fun, there is, effectively, an undocumented attribute on Context - sessionTimeout - that could also be set in server.xml / context.xml. Overall, the order of precedence should be: - application specific web.xml - conf/web.xml default - sessionTimeout attribute on Context - hard-coded default. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: MaxInactiveInterval
On 04.11.2016 20:06, Mark Thomas wrote: On 04/11/2016 15:53, Caldarale, Charles R wrote: From: Mark Thomas [mailto:ma...@apache.org] Subject: Re: MaxInactiveInterval On 04/11/2016 15:07, André Warnier (tomcat) wrote: A log message in an application running under Tomcat 8 mentions the "MaxInactiveInterval" setting, saying that it is a bit short.. I think that I understand the meaning of the setting (the time for which a session remains valid, even without interactions). But where in the webapp context, and under what name, should an equivalent parameter be specified ? Set it in web.xml. Same with distributable. This really appears to be a problem in the servlet spec (not surprising), which mentions the getMaxInactiveInterval() and setMaxInactiveInterval() APIs but only vaguely ties them to the session-timeout element of session-config. Tomcat doc does not normally describe the nuances of the servlet spec, but something that associates the config name with the API might be useful. To be fair, Tomcat isn't helping here. We used to have these attributes on the (session) manager but we removed with the expectation that they would be configured in web.xml. We could have done a better job of pointing to the expected locations. I did say "patches welcome" to André but since he is a committer that should have been "commits welcome" ;) Guys, you all know my level of (in)competence in matters deeply Java. I got my kudos by trying to help people in a general sense here, but when things seem to involve specific parts deep down the Tomcat code, I have to call for help. What I know is this, from the Servlet Specs 3.0 final : quote 12. session-config Element The session-config defines the session parameters for this Web application. The sub-element *session-timeout* defines the default session time out interval for all sessions created in this Web application. The specified time out must be expressed in a whole number of minutes. If the time out is 0 or less, the container ensures the default behavior of sessions is never to time out. If this element is not specified, the container must set its default time out period. unquote So it appears that there is a difference between : - the WEB-INF/web.xml of a webapp specifying a session-timeout > 0, in minutes - the WEB-INF/web.xml of a webapp specifying a session-timeout =< 0 (meaning, no timeout or "infinite") - the WEB-INF/web.xml of a webapp not specifying a session-timeout (container should supply a default value) Which thus raises the question : if a web application does not set the session-timeout, what value is returned by Tomcat for getMaxInactiveInterval() ? And the auxiliary question : can this (default) value be set somewhere in the configuration, or is this set in code ? (Or is that the one that is set in (tomcat)/conf/web.xml : 30 ?) (and what happens if we remove that stanza from conf/web.xml ?) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: MaxInactiveInterval
On 04/11/2016 15:53, Caldarale, Charles R wrote: >> From: Mark Thomas [mailto:ma...@apache.org] Subject: Re: >> MaxInactiveInterval > >> On 04/11/2016 15:07, André Warnier (tomcat) wrote: >>> A log message in an application running under Tomcat 8 mentions >>> the "MaxInactiveInterval" setting, saying that it is a bit >>> short.. >>> >>> I think that I understand the meaning of the setting (the time >>> for which a session remains valid, even without interactions). >>> But where in the webapp context, and under what name, should an >>> equivalent parameter be specified ? > >> Set it in web.xml. Same with distributable. > > This really appears to be a problem in the servlet spec (not > surprising), which mentions the getMaxInactiveInterval() and > setMaxInactiveInterval() APIs but only vaguely ties them to the > session-timeout element of session-config. Tomcat doc does not > normally describe the nuances of the servlet spec, but something that > associates the config name with the API might be useful. To be fair, Tomcat isn't helping here. We used to have these attributes on the (session) manager but we removed with the expectation that they would be configured in web.xml. We could have done a better job of pointing to the expected locations. I did say "patches welcome" to André but since he is a committer that should have been "commits welcome" ;) Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: MaxInactiveInterval
> From: Mark Thomas [mailto:ma...@apache.org] > Subject: Re: MaxInactiveInterval > On 04/11/2016 15:07, André Warnier (tomcat) wrote: > > A log message in an application running under Tomcat 8 mentions the > > "MaxInactiveInterval" setting, saying that it is a bit short.. > > > > I think that I understand the meaning of the setting (the time for which > > a session remains valid, even without interactions). > > But where in the webapp context, and under what name, should an > > equivalent parameter be specified ? > Set it in web.xml. Same with distributable. This really appears to be a problem in the servlet spec (not surprising), which mentions the getMaxInactiveInterval() and setMaxInactiveInterval() APIs but only vaguely ties them to the session-timeout element of session-config. Tomcat doc does not normally describe the nuances of the servlet spec, but something that associates the config name with the API might be useful. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: MaxInactiveInterval
On 04/11/2016 15:07, André Warnier (tomcat) wrote: > Hi. > > A log message in an application running under Tomcat 8 mentions the > "MaxInactiveInterval" setting, saying that it is a bit short.. > > The only place in the Tomcat 8 documentation where I find this setting, > is in > https://tomcat.apache.org/tomcat-8.0-doc/config/manager.html > where it says that this is deprecated, and should be set in the Context. > > However, the page at : > https://tomcat.apache.org/tomcat-8.0-doc/config/context.html > does not mention that parameter at all. > > Deep puzzlement. > What is this all about ? > > I think that I understand the meaning of the setting (the time for which > a session remains valid, even without interactions). > But where in the webapp context, and under what name, should an > equivalent parameter be specified ? Set it in web.xml. Same with distributable. Docs patches welcome. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org