Spring Web Flow requires sessions to work, so you can't really remove the usage of sessions at this time.
Cheers, Scott On Mon, May 20, 2013 at 5:06 PM, sol myr <[email protected]> wrote: > Hi, > > We notived if login page has been idle for a while, and then user tries to > log in - it fails, and he needs to re-try (this 2nd attempt succeeds). > I realize the cause is Http session timeout, since the LoginTicket is > stored in session : > > http://stackoverflow.com/questions/14135742/cas-credentials-dont-get-validated-if-the-login-page-is-idle > > But what is the recommended solution? So far I considered: > > 1) Increasing HTTP session timeout (in web.xml). > But i'm afraid of the memory consumption, since we expect tens (or even > hundreds) of thousands of users. > > 2) Automatically refreshing the page every half hour of so, using > javascript. > But then I keep the Http Session alive for ever, e.g. if user left the > screen and went for a long vacation. > > 3) I even considred overriding AuthenticationViaFormAction so that it > would ignore the LoginTicket. > But I don't fully understand the security risk of giving up LoginTicket. > The documentation mentions browser bugs related to "back" button, but I > didn't understand what they are (we use Chrome BTW). > > 4) Any other alternative will be welcome > > Thanks very much > > -- > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
