Hi Jacques, On double checking, I found that /applications/marketing/webapp/marketing/WEB-INF/web.xml and /applications/party/webapp/partymgr/WEB-INF/web.xml files have been missed. Apart from that, I think we need to work for web.xml of various plugins also.
Thanks & Regards -- Deepak Nigam HotWax Systems Pvt. Ltd On Fri, Jan 11, 2019 at 9:58 PM Jacques Le Roux < jacques.le.r...@les7arts.com> wrote: > Hi Guys, > > Done, please double-check that I have not missed a web.xml files > > Thanks > > Jacques > > Le 11/01/2019 à 11:34, Jacques Le Roux a écrit : > > Thanks Guys, > > > > I'll do this afternoon using OFBIZ-6655 > > > > Jacques > > > > Le 11/01/2019 à 07:03, Deepak Nigam a écrit : > >> Thanks, Jacques and Girish. > >> > >> Yes, it makes sense to get back to web.xml for the session timeout > value. > >> > >> On Fri, Jan 11, 2019 at 11:13 AM Girish Vasmatkar < > >> girish.vasmat...@hotwaxsystems.com> wrote: > >> > >>> Hi Jacques > >>> > >>> Yes, we should put back the session timeout declaration in web.xml. > Given > >>> the fact that we can always mix web.xml and Annotation based > configuration, > >>> it only makes sense to let web.xml decide the session timeout and even > if > >>> we have the session listener (via web.xml declaration or Annotation), > we > >>> should not programatically try to override the setting. > >>> > >>> Thanks and Regards, > >>> Girish > >>> > >>> > >>> On Thu, Jan 10, 2019 at 7:14 PM Jacques Le Roux < > >>> jacques.le.r...@les7arts.com> wrote: > >>> > >>>> Hi Deepak, Girish, > >>>> > >>>> I had a look at the issue. The specifications of Java Servlet > >>>> Specification 3.0 don't include an annotation to change the session > time > >>>> out. > >>>> > >>>> https://www.baeldung.com/servlet-session-timeout > >>>> > >>>> > >>> > https://stackoverflow.com/questions/20389833/session-timeout-config-with-no-web-xml-file > >>>> I think the best solution is to put back what we had before, ie set > it to > >>>> a value (it was 1 hour before) in all web.xml file and remove the > >>>> > >>>> session.setMaxInactiveInterval(60*60); //in seconds > >>>> > >>>> line in ControlEventListener::sessionCreated > >>>> > >>>> I thought about keeping this line if a check to null for the session > >>>> timeout value (from web.xml) was positive. > >>>> But by default Tomcat sets it to 30 min (so it's never null) and it's > >>>> possible but hard to change in OFBiz (eg to a known specific > >>> extraordinary > >>>> value > >>>> that could be checked instead of null as above) > >>>> So it could be confusing and anyway best practice is to prefer > convention > >>>> over configuration, even if in this case it's much redundant. > >>>> > >>>> I think we can reopen OFBIZ-6655 and handle it there, with an > >>> explanation. > >>>> Other ideas? > >>>> > >>>> Jacques > >>>> > >>>> Le 09/01/2019 à 10:11, Girish Vasmatkar a écrit : > >>>>> Hi Deepak > >>>>> > >>>>> By the time sessionCreated is called in an HttpSessionListener, the > >>>> session > >>>>> has already been created. I am sure if you try to get the HttpSession > >>>> from > >>>>> the HttpSessionEvent object, it will have what you defined in > >>>>> <session-timeout> tag. > >>>>> > >>>>> But the code is overriding the timeout using setMaxInactiveInterval > to > >>> 1 > >>>>> hour that is why it is looking like web.xml is not being given > >>>>> precedence over programmatic session configuration. > >>>>> > >>>>> Whether web.xml takes precedence over annotation does not apply in > this > >>>>> case because anyway the session timeout value is being overridden by > >>> the > >>>>> code. The tomcat container definitely reads session-timeout from > >>> web.xml > >>>>> and assigns timeout for the session accordingly. But since a listener > >>> is > >>>>> configured for session lifecycle management, it invokes the method > and > >>>>> there the session value is being overridden. > >>>>> > >>>>> Try to set 2 minutes session timeout in web.xml and remove > >>>>> session.setMaxInactiveInterval(60*60). > >>>>> I would say you will be logged out after 2 minutes. If that is not > the > >>>>> case, pl let me know. > >>>>> > >>>>> I hope I understood your question and problem correctly. > >>>>> > >>>>> Best, > >>>>> Girish > >>>>> > >>>>> > >>>>> > >>>>> On Wed, Jan 9, 2019 at 1:53 PM Deepak Nigam < > >>> deepak.nigam1...@gmail.com> > >>>>> wrote: > >>>>> > >>>>>> Thanks, Jacques. > >>>>>> > >>>>>> Apart from the hardcoded thing, I am not able to override the > session > >>>>>> timeout value using <session-timeout> tag in web.xml. > >>>>>> > >>>>>> On Tue, Jan 8, 2019 at 1:55 PM Jacques Le Roux < > >>>>>> jacques.le.r...@les7arts.com> > >>>>>> wrote: > >>>>>> > >>>>>>> Hi Deepak, > >>>>>>> > >>>>>>> You are right, it's hardcoded and should not. I have no time to go > >>>>>> further > >>>>>>> at the moment, but I'll ASAP > >>>>>>> > >>>>>>> Thanks > >>>>>>> > >>>>>>> Jacques > >>>>>>> > >>>>>>> Le 08/01/2019 à 06:10, Deepak Nigam a écrit : > >>>>>>>> Hello all, > >>>>>>>> > >>>>>>>> I tried to set the session timeout for the 'ecommerce' and the > >>>>>>>> 'webtools' components using <session-config> of web.xml, but > unable > >>> to > >>>>>> do > >>>>>>>> so. Session for the logged-in user remains active even after the > set > >>>>>>> time. > >>>>>>>> On further research, I found that we did some changes in this area > >>> in > >>>>>> the > >>>>>>>> ticket OFBIZ-6655 < > https://issues.apache.org/jira/browse/OFBIZ-6655 > >>>> . > >>>>>> We > >>>>>>>> have hard coded the session timeout (1 hr) in the sessionCreated() > >>>>>> method > >>>>>>>> of ControlEventListner class. As per the comments in the Jira > >>> ticket, > >>>>>>>> session timeout declarations in web.xml have been removed by the > use > >>>>>>>> of @WebListner annotation. This is to avoid duplicates things > >>>>>> everywhere > >>>>>>> in > >>>>>>>> web.xml files. Since the web.xml files have precedence on > >>> annotations, > >>>>>>> the > >>>>>>>> setting can be easily overridden when necessary. > >>>>>>>> > >>>>>>>> But the @WebListner is missing in the ControlEventListner class. > >>> Also, > >>>>>> I > >>>>>>> am > >>>>>>>> unable to override the session timeout in web.xml even after > putting > >>>>>> the > >>>>>>>> @WebListner annotation in ControlEventListner class. > >>>>>>>> > >>>>>>>> Please let me know if this is a real issue or I am doing something > >>>>>> wrong? > >>>>>>>> Thanks & Regards > >>>>>>>> -- > >>>>>>>> Deepak Nigam > >>>>>>>> HotWax Systems Pvt. Ltd. > >>>>>>>> > > >