Thanks, Jacques and Girish. Yes, it makes sense to get back to web.xml for the session timeout value.
On Fri, Jan 11, 2019 at 11:13 AM Girish Vasmatkar < girish.vasmat...@hotwaxsystems.com> wrote: > Hi Jacques > > Yes, we should put back the session timeout declaration in web.xml. Given > the fact that we can always mix web.xml and Annotation based configuration, > it only makes sense to let web.xml decide the session timeout and even if > we have the session listener (via web.xml declaration or Annotation), we > should not programatically try to override the setting. > > Thanks and Regards, > Girish > > > On Thu, Jan 10, 2019 at 7:14 PM Jacques Le Roux < > jacques.le.r...@les7arts.com> wrote: > > > Hi Deepak, Girish, > > > > I had a look at the issue. The specifications of Java Servlet > > Specification 3.0 don't include an annotation to change the session time > > out. > > > > https://www.baeldung.com/servlet-session-timeout > > > > > https://stackoverflow.com/questions/20389833/session-timeout-config-with-no-web-xml-file > > > > I think the best solution is to put back what we had before, ie set it to > > a value (it was 1 hour before) in all web.xml file and remove the > > > > session.setMaxInactiveInterval(60*60); //in seconds > > > > line in ControlEventListener::sessionCreated > > > > I thought about keeping this line if a check to null for the session > > timeout value (from web.xml) was positive. > > But by default Tomcat sets it to 30 min (so it's never null) and it's > > possible but hard to change in OFBiz (eg to a known specific > extraordinary > > value > > that could be checked instead of null as above) > > So it could be confusing and anyway best practice is to prefer convention > > over configuration, even if in this case it's much redundant. > > > > I think we can reopen OFBIZ-6655 and handle it there, with an > explanation. > > > > Other ideas? > > > > Jacques > > > > Le 09/01/2019 à 10:11, Girish Vasmatkar a écrit : > > > Hi Deepak > > > > > > By the time sessionCreated is called in an HttpSessionListener, the > > session > > > has already been created. I am sure if you try to get the HttpSession > > from > > > the HttpSessionEvent object, it will have what you defined in > > > <session-timeout> tag. > > > > > > But the code is overriding the timeout using setMaxInactiveInterval to > 1 > > > hour that is why it is looking like web.xml is not being given > > > precedence over programmatic session configuration. > > > > > > Whether web.xml takes precedence over annotation does not apply in this > > > case because anyway the session timeout value is being overridden by > the > > > code. The tomcat container definitely reads session-timeout from > web.xml > > > and assigns timeout for the session accordingly. But since a listener > is > > > configured for session lifecycle management, it invokes the method and > > > there the session value is being overridden. > > > > > > Try to set 2 minutes session timeout in web.xml and remove > > > session.setMaxInactiveInterval(60*60). > > > I would say you will be logged out after 2 minutes. If that is not the > > > case, pl let me know. > > > > > > I hope I understood your question and problem correctly. > > > > > > Best, > > > Girish > > > > > > > > > > > > On Wed, Jan 9, 2019 at 1:53 PM Deepak Nigam < > deepak.nigam1...@gmail.com> > > > wrote: > > > > > >> Thanks, Jacques. > > >> > > >> Apart from the hardcoded thing, I am not able to override the session > > >> timeout value using <session-timeout> tag in web.xml. > > >> > > >> On Tue, Jan 8, 2019 at 1:55 PM Jacques Le Roux < > > >> jacques.le.r...@les7arts.com> > > >> wrote: > > >> > > >>> Hi Deepak, > > >>> > > >>> You are right, it's hardcoded and should not. I have no time to go > > >> further > > >>> at the moment, but I'll ASAP > > >>> > > >>> Thanks > > >>> > > >>> Jacques > > >>> > > >>> Le 08/01/2019 à 06:10, Deepak Nigam a écrit : > > >>>> Hello all, > > >>>> > > >>>> I tried to set the session timeout for the 'ecommerce' and the > > >>>> 'webtools' components using <session-config> of web.xml, but unable > to > > >> do > > >>>> so. Session for the logged-in user remains active even after the set > > >>> time. > > >>>> On further research, I found that we did some changes in this area > in > > >> the > > >>>> ticket OFBIZ-6655 <https://issues.apache.org/jira/browse/OFBIZ-6655 > >. > > >> We > > >>>> have hard coded the session timeout (1 hr) in the sessionCreated() > > >> method > > >>>> of ControlEventListner class. As per the comments in the Jira > ticket, > > >>>> session timeout declarations in web.xml have been removed by the use > > >>>> of @WebListner annotation. This is to avoid duplicates things > > >> everywhere > > >>> in > > >>>> web.xml files. Since the web.xml files have precedence on > annotations, > > >>> the > > >>>> setting can be easily overridden when necessary. > > >>>> > > >>>> But the @WebListner is missing in the ControlEventListner class. > Also, > > >> I > > >>> am > > >>>> unable to override the session timeout in web.xml even after putting > > >> the > > >>>> @WebListner annotation in ControlEventListner class. > > >>>> > > >>>> Please let me know if this is a real issue or I am doing something > > >> wrong? > > >>>> Thanks & Regards > > >>>> -- > > >>>> Deepak Nigam > > >>>> HotWax Systems Pvt. Ltd. > > >>>> > > >