[
https://issues.apache.org/jira/browse/JSEC-23?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Todd Kofford updated JSEC-23:
-----------------------------
Attachment: sessionExpiration.patch
This patch will solve the Unconditional Session Expiration/Timeout issue.
> Session Timeout - Unconditional
> -------------------------------
>
> Key: JSEC-23
> URL: https://issues.apache.org/jira/browse/JSEC-23
> Project: JSecurity
> Issue Type: Bug
> Components: Session Management
> Reporter: Todd Kofford
> Attachments: sessionExpiration.patch
>
> Original Estimate: 2h
> Remaining Estimate: 2h
>
> The SimpleSession class is expiring sessions unconditionally after the
> default timeout of 30 minutes, regardless of any reads or writes to the
> session.
> This issue is caused by the lastAccessTime field of the SimpleSession class
> not being updated when a session attribute is read or written. Since session
> expiration is dependent on the lastAccessTime value, this field needs to be
> updated each time a session attribute is read or written to the session.
> The fix for this issue would be to call the touch() method of the
> SimpleSession class each time an attribute is read or written to the session.
> Since the touch() method updates the lastAccessTime field with the current
> time, this call is sufficient to perform the update that is required.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
