Session Timeout - Unconditional
-------------------------------
Key: JSEC-23
URL: https://issues.apache.org/jira/browse/JSEC-23
Project: JSecurity
Issue Type: Bug
Components: Session Management
Reporter: Todd Kofford
The SimpleSession class is expiring sessions unconditionally after the default
timeout of 30 minutes, regardless of any reads or writes to the session.
This issue is caused by the lastAccessTime field of the SimpleSession class not
being updated when a session attribute is read or written. Since session
expiration is dependent on the lastAccessTime value, this field needs to be
updated each time a session attribute is read or written to the session.
The fix for this issue would be to call the touch() method of the SimpleSession
class each time an attribute is read or written to the session. Since the
touch() method updates the lastAccessTime field with the current time, this
call is sufficient to perform the update that is required.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
