Re: Session timeout for webapps

2019-01-12 Thread Jacques Le Roux 

Done, thanks Deepak

Jacques

Le 12/01/2019 à 07:24, Deepak Nigam a écrit :

Hi Jacques,

On double checking, I found that
/applications/marketing/webapp/marketing/WEB-INF/web.xml and
/applications/party/webapp/partymgr/WEB-INF/web.xml files have been missed.
Apart from that, I think we need to work for web.xml of various plugins
also.

Thanks & Regards
--
Deepak Nigam
HotWax Systems Pvt. Ltd


On Fri, Jan 11, 2019 at 9:58 PM Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:


Hi Guys,

Done, please double-check that I have not missed a web.xml files

Thanks

Jacques

Le 11/01/2019 à 11:34, Jacques Le Roux a écrit :

Thanks Guys,

I'll do this afternoon using OFBIZ-6655

Jacques

Le 11/01/2019 à 07:03, Deepak Nigam a écrit :

Thanks, Jacques and Girish.

Yes, it makes sense to get back to web.xml for the session timeout

value.

On Fri, Jan 11, 2019 at 11:13 AM Girish Vasmatkar <
girish.vasmat...@hotwaxsystems.com> wrote:


Hi Jacques

Yes, we should put back the session timeout declaration in web.xml.

Given

the fact that we can always mix web.xml and Annotation based

configuration,

it only makes sense to let web.xml decide the session timeout and even

if

we have the session listener (via web.xml declaration or Annotation),

we

should not programatically try to override the setting.

Thanks and Regards,
Girish


On Thu, Jan 10, 2019 at 7:14 PM Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:


Hi Deepak, Girish,

I had a look at the issue. The specifications of Java Servlet
Specification 3.0 don't include an annotation to change the session

time

out.

  https://www.baeldung.com/servlet-session-timeout



https://stackoverflow.com/questions/20389833/session-timeout-config-with-no-web-xml-file

I think the best solution is to put back what we had before, ie set

it to

a value (it was 1 hour before) in all web.xml file and remove the

  session.setMaxInactiveInterval(60*60); //in seconds

line in ControlEventListener::sessionCreated

I thought about keeping this line if a check to null for the session
timeout value (from web.xml) was positive.
But by default Tomcat sets it to 30 min (so it's never null) and it's
possible but hard to change in OFBiz (eg to a known specific

extraordinary

value
that could be checked instead of null as above)
So it could be confusing and anyway best practice is to prefer

convention

over configuration, even if in this case it's much redundant.

I think we can reopen OFBIZ-6655 and handle it there, with an

explanation.

Other ideas?

Jacques

Le 09/01/2019 à 10:11, Girish Vasmatkar a écrit :

Hi Deepak

By the time sessionCreated is called in an HttpSessionListener, the

session

has already been created. I am sure if you try to get the HttpSession

from

the HttpSessionEvent object, it will have what you defined in
 tag.

But the code is overriding the timeout using setMaxInactiveInterval

to

1

hour that is why it is looking like web.xml is not being given
precedence over programmatic session configuration.

Whether web.xml takes precedence over annotation does not apply in

this

case because anyway the session timeout value is being overridden by

the

code. The tomcat container definitely reads session-timeout from

web.xml

and assigns timeout for the session accordingly. But since a listener

is

configured for session lifecycle management, it invokes the method

and

there the session value is being overridden.

Try to set 2 minutes session timeout in web.xml and remove
session.setMaxInactiveInterval(60*60).
I would say you will be logged out after 2 minutes. If that is not

the

case, pl let me know.

I hope I understood your question and problem correctly.

Best,
Girish



On Wed, Jan 9, 2019 at 1:53 PM Deepak Nigam <

deepak.nigam1...@gmail.com>

wrote:


Thanks, Jacques.

Apart from the hardcoded thing, I am not able to override the

session

timeout value using  tag in web.xml.

On Tue, Jan 8, 2019 at 1:55 PM Jacques Le Roux <
jacques.le.r...@les7arts.com>
wrote:


Hi Deepak,

You are right, it's hardcoded and should not. I have no time to go

further

at the moment, but I'll ASAP

Thanks

Jacques

Le 08/01/2019 à 06:10, Deepak Nigam a écrit :

Hello all,

I tried to set the session timeout for the 'ecommerce' and the
'webtools' components using  of web.xml, but

unable

to

do

so. Session for the logged-in user remains active even after the

set

time.

On further research, I found that we did some changes in this area

in

the

ticket OFBIZ-6655 <

https://issues.apache.org/jira/browse/OFBIZ-6655

.

We

have hard coded the session timeout (1 hr) in the sessionCreated()

method

of ControlEventListner class. As per the comments in the Jira

ticket,

session timeout declarations in web.xml have been removed by the

use

of @WebListner annotation. This is to avoid duplicates things

everywhere

in

web.xml files. Since the web.xml files have precedence on

annotations,

the

setting can be easily overridden when necessary.

But the

Re: Session timeout for webapps

2019-01-11 Thread Deepak Nigam 
Hi Jacques,

On double checking, I found that
/applications/marketing/webapp/marketing/WEB-INF/web.xml and
/applications/party/webapp/partymgr/WEB-INF/web.xml files have been missed.
Apart from that, I think we need to work for web.xml of various plugins
also.

Thanks & Regards
--
Deepak Nigam
HotWax Systems Pvt. Ltd


On Fri, Jan 11, 2019 at 9:58 PM Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:

> Hi Guys,
>
> Done, please double-check that I have not missed a web.xml files
>
> Thanks
>
> Jacques
>
> Le 11/01/2019 à 11:34, Jacques Le Roux a écrit :
> > Thanks Guys,
> >
> > I'll do this afternoon using OFBIZ-6655
> >
> > Jacques
> >
> > Le 11/01/2019 à 07:03, Deepak Nigam a écrit :
> >> Thanks, Jacques and Girish.
> >>
> >> Yes, it makes sense to get back to web.xml for the session timeout
> value.
> >>
> >> On Fri, Jan 11, 2019 at 11:13 AM Girish Vasmatkar <
> >> girish.vasmat...@hotwaxsystems.com> wrote:
> >>
> >>> Hi Jacques
> >>>
> >>> Yes, we should put back the session timeout declaration in web.xml.
> Given
> >>> the fact that we can always mix web.xml and Annotation based
> configuration,
> >>> it only makes sense to let web.xml decide the session timeout and even
> if
> >>> we have the session listener (via web.xml declaration or Annotation),
> we
> >>> should not programatically try to override the setting.
> >>>
> >>> Thanks and Regards,
> >>> Girish
> >>>
> >>>
> >>> On Thu, Jan 10, 2019 at 7:14 PM Jacques Le Roux <
> >>> jacques.le.r...@les7arts.com> wrote:
> >>>
>  Hi Deepak, Girish,
> 
>  I had a look at the issue. The specifications of Java Servlet
>  Specification 3.0 don't include an annotation to change the session
> time
>  out.
> 
>   https://www.baeldung.com/servlet-session-timeout
> 
> 
> >>>
> https://stackoverflow.com/questions/20389833/session-timeout-config-with-no-web-xml-file
>  I think the best solution is to put back what we had before, ie set
> it to
>  a value (it was 1 hour before) in all web.xml file and remove the
> 
>   session.setMaxInactiveInterval(60*60); //in seconds
> 
>  line in ControlEventListener::sessionCreated
> 
>  I thought about keeping this line if a check to null for the session
>  timeout value (from web.xml) was positive.
>  But by default Tomcat sets it to 30 min (so it's never null) and it's
>  possible but hard to change in OFBiz (eg to a known specific
> >>> extraordinary
>  value
>  that could be checked instead of null as above)
>  So it could be confusing and anyway best practice is to prefer
> convention
>  over configuration, even if in this case it's much redundant.
> 
>  I think we can reopen OFBIZ-6655 and handle it there, with an
> >>> explanation.
>  Other ideas?
> 
>  Jacques
> 
>  Le 09/01/2019 à 10:11, Girish Vasmatkar a écrit :
> > Hi Deepak
> >
> > By the time sessionCreated is called in an HttpSessionListener, the
>  session
> > has already been created. I am sure if you try to get the HttpSession
>  from
> > the HttpSessionEvent object, it will have what you defined in
> >  tag.
> >
> > But the code is overriding the timeout using setMaxInactiveInterval
> to
> >>> 1
> > hour that is why it is looking like web.xml is not being given
> > precedence over programmatic session configuration.
> >
> > Whether web.xml takes precedence over annotation does not apply in
> this
> > case because anyway the session timeout value is being overridden by
> >>> the
> > code. The tomcat container definitely reads session-timeout from
> >>> web.xml
> > and assigns timeout for the session accordingly. But since a listener
> >>> is
> > configured for session lifecycle management, it invokes the method
> and
> > there the session value is being overridden.
> >
> > Try to set 2 minutes session timeout in web.xml and remove
> > session.setMaxInactiveInterval(60*60).
> > I would say you will be logged out after 2 minutes. If that is not
> the
> > case, pl let me know.
> >
> > I hope I understood your question and problem correctly.
> >
> > Best,
> > Girish
> >
> >
> >
> > On Wed, Jan 9, 2019 at 1:53 PM Deepak Nigam <
> >>> deepak.nigam1...@gmail.com>
> > wrote:
> >
> >> Thanks, Jacques.
> >>
> >> Apart from the hardcoded thing, I am not able to override the
> session
> >> timeout value using  tag in web.xml.
> >>
> >> On Tue, Jan 8, 2019 at 1:55 PM Jacques Le Roux <
> >> jacques.le.r...@les7arts.com>
> >> wrote:
> >>
> >>> Hi Deepak,
> >>>
> >>> You are right, it's hardcoded and should not. I have no time to go
> >> further
> >>> at the moment, but I'll ASAP
> >>>
> >>> Thanks
> >>>
> >>> Jacques
> >>>
> >>> Le 08/01/2019 à 06:10, Deepak Nigam a écrit :
>  Hello all,
> 
>  I

Re: Session timeout for webapps

2019-01-11 Thread Jacques Le Roux 

Hi Guys,

Done, please double-check that I have not missed a web.xml files

Thanks

Jacques

Le 11/01/2019 à 11:34, Jacques Le Roux a écrit :

Thanks Guys,

I'll do this afternoon using OFBIZ-6655

Jacques

Le 11/01/2019 à 07:03, Deepak Nigam a écrit :

Thanks, Jacques and Girish.

Yes, it makes sense to get back to web.xml for the session timeout value.

On Fri, Jan 11, 2019 at 11:13 AM Girish Vasmatkar <
girish.vasmat...@hotwaxsystems.com> wrote:


Hi Jacques

Yes, we should put back the session timeout declaration in web.xml. Given
the fact that we can always mix web.xml and Annotation based configuration,
it only makes sense to let web.xml decide the session timeout and even if
we have the session listener (via web.xml declaration or Annotation), we
should not programatically try to override the setting.

Thanks and Regards,
Girish


On Thu, Jan 10, 2019 at 7:14 PM Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:


Hi Deepak, Girish,

I had a look at the issue. The specifications of Java Servlet
Specification 3.0 don't include an annotation to change the session time
out.

 https://www.baeldung.com/servlet-session-timeout



https://stackoverflow.com/questions/20389833/session-timeout-config-with-no-web-xml-file

I think the best solution is to put back what we had before, ie set it to
a value (it was 1 hour before) in all web.xml file and remove the

 session.setMaxInactiveInterval(60*60); //in seconds

line in ControlEventListener::sessionCreated

I thought about keeping this line if a check to null for the session
timeout value (from web.xml) was positive.
But by default Tomcat sets it to 30 min (so it's never null) and it's
possible but hard to change in OFBiz (eg to a known specific

extraordinary

value
that could be checked instead of null as above)
So it could be confusing and anyway best practice is to prefer convention
over configuration, even if in this case it's much redundant.

I think we can reopen OFBIZ-6655 and handle it there, with an

explanation.

Other ideas?

Jacques

Le 09/01/2019 à 10:11, Girish Vasmatkar a écrit :

Hi Deepak

By the time sessionCreated is called in an HttpSessionListener, the

session

has already been created. I am sure if you try to get the HttpSession

from

the HttpSessionEvent object, it will have what you defined in
 tag.

But the code is overriding the timeout using setMaxInactiveInterval to

1

hour that is why it is looking like web.xml is not being given
precedence over programmatic session configuration.

Whether web.xml takes precedence over annotation does not apply in this
case because anyway the session timeout value is being overridden by

the

code. The tomcat container definitely reads session-timeout from

web.xml

and assigns timeout for the session accordingly. But since a listener

is

configured for session lifecycle management, it invokes the method and
there the session value is being overridden.

Try to set 2 minutes session timeout in web.xml and remove
session.setMaxInactiveInterval(60*60).
I would say you will be logged out after 2 minutes. If that is not the
case, pl let me know.

I hope I understood your question and problem correctly.

Best,
Girish



On Wed, Jan 9, 2019 at 1:53 PM Deepak Nigam <

deepak.nigam1...@gmail.com>

wrote:


Thanks, Jacques.

Apart from the hardcoded thing, I am not able to override the session
timeout value using  tag in web.xml.

On Tue, Jan 8, 2019 at 1:55 PM Jacques Le Roux <
jacques.le.r...@les7arts.com>
wrote:


Hi Deepak,

You are right, it's hardcoded and should not. I have no time to go

further

at the moment, but I'll ASAP

Thanks

Jacques

Le 08/01/2019 à 06:10, Deepak Nigam a écrit :

Hello all,

I tried to set the session timeout for the 'ecommerce' and the
'webtools' components using  of web.xml, but unable

to

do

so. Session for the logged-in user remains active even after the set

time.

On further research, I found that we did some changes in this area

in

the

ticket OFBIZ-6655

Re: Session timeout for webapps

2019-01-11 Thread Jacques Le Roux 

Thanks Guys,

I'll do this afternoon using OFBIZ-6655

Jacques

Le 11/01/2019 à 07:03, Deepak Nigam a écrit :

Thanks, Jacques and Girish.

Yes, it makes sense to get back to web.xml for the session timeout value.

On Fri, Jan 11, 2019 at 11:13 AM Girish Vasmatkar <
girish.vasmat...@hotwaxsystems.com> wrote:


Hi Jacques

Yes, we should put back the session timeout declaration in web.xml. Given
the fact that we can always mix web.xml and Annotation based configuration,
it only makes sense to let web.xml decide the session timeout and even if
we have the session listener (via web.xml declaration or Annotation), we
should not programatically try to override the setting.

Thanks and Regards,
Girish


On Thu, Jan 10, 2019 at 7:14 PM Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:


Hi Deepak, Girish,

I had a look at the issue. The specifications of Java Servlet
Specification 3.0 don't include an annotation to change the session time
out.

 https://www.baeldung.com/servlet-session-timeout



https://stackoverflow.com/questions/20389833/session-timeout-config-with-no-web-xml-file

I think the best solution is to put back what we had before, ie set it to
a value (it was 1 hour before) in all web.xml file and remove the

 session.setMaxInactiveInterval(60*60); //in seconds

line in ControlEventListener::sessionCreated

I thought about keeping this line if a check to null for the session
timeout value (from web.xml) was positive.
But by default Tomcat sets it to 30 min (so it's never null) and it's
possible but hard to change in OFBiz (eg to a known specific

extraordinary

value
that could be checked instead of null as above)
So it could be confusing and anyway best practice is to prefer convention
over configuration, even if in this case it's much redundant.

I think we can reopen OFBIZ-6655 and handle it there, with an

explanation.

Other ideas?

Jacques

Le 09/01/2019 à 10:11, Girish Vasmatkar a écrit :

Hi Deepak

By the time sessionCreated is called in an HttpSessionListener, the

session

has already been created. I am sure if you try to get the HttpSession

from

the HttpSessionEvent object, it will have what you defined in
 tag.

But the code is overriding the timeout using setMaxInactiveInterval to

1

hour that is why it is looking like web.xml is not being given
precedence over programmatic session configuration.

Whether web.xml takes precedence over annotation does not apply in this
case because anyway the session timeout value is being overridden by

the

code. The tomcat container definitely reads session-timeout from

web.xml

and assigns timeout for the session accordingly. But since a listener

is

configured for session lifecycle management, it invokes the method and
there the session value is being overridden.

Try to set 2 minutes session timeout in web.xml and remove
session.setMaxInactiveInterval(60*60).
I would say you will be logged out after 2 minutes. If that is not the
case, pl let me know.

I hope I understood your question and problem correctly.

Best,
Girish



On Wed, Jan 9, 2019 at 1:53 PM Deepak Nigam <

deepak.nigam1...@gmail.com>

wrote:


Thanks, Jacques.

Apart from the hardcoded thing, I am not able to override the session
timeout value using  tag in web.xml.

On Tue, Jan 8, 2019 at 1:55 PM Jacques Le Roux <
jacques.le.r...@les7arts.com>
wrote:


Hi Deepak,

You are right, it's hardcoded and should not. I have no time to go

further

at the moment, but I'll ASAP

Thanks

Jacques

Le 08/01/2019 à 06:10, Deepak Nigam a écrit :

Hello all,

I tried to set the session timeout for the 'ecommerce' and the
'webtools' components using  of web.xml, but unable

to

do

so. Session for the logged-in user remains active even after the set

time.

On further research, I found that we did some changes in this area

in

the

ticket OFBIZ-6655

Re: Session timeout for webapps

2019-01-10 Thread Deepak Nigam 
Thanks, Jacques and Girish.

Yes, it makes sense to get back to web.xml for the session timeout value.

On Fri, Jan 11, 2019 at 11:13 AM Girish Vasmatkar <
girish.vasmat...@hotwaxsystems.com> wrote:

> Hi Jacques
>
> Yes, we should put back the session timeout declaration in web.xml. Given
> the fact that we can always mix web.xml and Annotation based configuration,
> it only makes sense to let web.xml decide the session timeout and even if
> we have the session listener (via web.xml declaration or Annotation), we
> should not programatically try to override the setting.
>
> Thanks and Regards,
> Girish
>
>
> On Thu, Jan 10, 2019 at 7:14 PM Jacques Le Roux <
> jacques.le.r...@les7arts.com> wrote:
>
> > Hi Deepak, Girish,
> >
> > I had a look at the issue. The specifications of Java Servlet
> > Specification 3.0 don't include an annotation to change the session time
> > out.
> >
> > https://www.baeldung.com/servlet-session-timeout
> >
> >
> https://stackoverflow.com/questions/20389833/session-timeout-config-with-no-web-xml-file
> >
> > I think the best solution is to put back what we had before, ie set it to
> > a value (it was 1 hour before) in all web.xml file and remove the
> >
> > session.setMaxInactiveInterval(60*60); //in seconds
> >
> > line in ControlEventListener::sessionCreated
> >
> > I thought about keeping this line if a check to null for the session
> > timeout value (from web.xml) was positive.
> > But by default Tomcat sets it to 30 min (so it's never null) and it's
> > possible but hard to change in OFBiz (eg to a known specific
> extraordinary
> > value
> > that could be checked instead of null as above)
> > So it could be confusing and anyway best practice is to prefer convention
> > over configuration, even if in this case it's much redundant.
> >
> > I think we can reopen OFBIZ-6655 and handle it there, with an
> explanation.
> >
> > Other ideas?
> >
> > Jacques
> >
> > Le 09/01/2019 à 10:11, Girish Vasmatkar a écrit :
> > > Hi Deepak
> > >
> > > By the time sessionCreated is called in an HttpSessionListener, the
> > session
> > > has already been created. I am sure if you try to get the HttpSession
> > from
> > > the HttpSessionEvent object, it will have what you defined in
> > >  tag.
> > >
> > > But the code is overriding the timeout using setMaxInactiveInterval to
> 1
> > > hour that is why it is looking like web.xml is not being given
> > > precedence over programmatic session configuration.
> > >
> > > Whether web.xml takes precedence over annotation does not apply in this
> > > case because anyway the session timeout value is being overridden by
> the
> > > code. The tomcat container definitely reads session-timeout from
> web.xml
> > > and assigns timeout for the session accordingly. But since a listener
> is
> > > configured for session lifecycle management, it invokes the method and
> > > there the session value is being overridden.
> > >
> > > Try to set 2 minutes session timeout in web.xml and remove
> > > session.setMaxInactiveInterval(60*60).
> > > I would say you will be logged out after 2 minutes. If that is not the
> > > case, pl let me know.
> > >
> > > I hope I understood your question and problem correctly.
> > >
> > > Best,
> > > Girish
> > >
> > >
> > >
> > > On Wed, Jan 9, 2019 at 1:53 PM Deepak Nigam <
> deepak.nigam1...@gmail.com>
> > > wrote:
> > >
> > >> Thanks, Jacques.
> > >>
> > >> Apart from the hardcoded thing, I am not able to override the session
> > >> timeout value using  tag in web.xml.
> > >>
> > >> On Tue, Jan 8, 2019 at 1:55 PM Jacques Le Roux <
> > >> jacques.le.r...@les7arts.com>
> > >> wrote:
> > >>
> > >>> Hi Deepak,
> > >>>
> > >>> You are right, it's hardcoded and should not. I have no time to go
> > >> further
> > >>> at the moment, but I'll ASAP
> > >>>
> > >>> Thanks
> > >>>
> > >>> Jacques
> > >>>
> > >>> Le 08/01/2019 à 06:10, Deepak Nigam a écrit :
> >  Hello all,
> > 
> >  I tried to set the session timeout for the 'ecommerce' and the
> >  'webtools' components using  of web.xml, but unable
> to
> > >> do
> >  so. Session for the logged-in user remains active even after the set
> > >>> time.
> >  On further research, I found that we did some changes in this area
> in
> > >> the
> >  ticket OFBIZ-6655  >.
> > >> We
> >  have hard coded the session timeout (1 hr) in the sessionCreated()
> > >> method
> >  of ControlEventListner class. As per the comments in the Jira
> ticket,
> >  session timeout declarations in web.xml have been removed by the use
> >  of @WebListner annotation. This is to avoid duplicates things
> > >> everywhere
> > >>> in
> >  web.xml files. Since the web.xml files have precedence on
> annotations,
> > >>> the
> >  setting can be easily overridden when necessary.
> > 
> >  But the @WebListner is missing in the ControlEventListner class.
> Also,
> > >> I
> > >>> am
> >  unable to override the

Re: Session timeout for webapps

2019-01-10 Thread Girish Vasmatkar 
Hi Jacques

Yes, we should put back the session timeout declaration in web.xml. Given
the fact that we can always mix web.xml and Annotation based configuration,
it only makes sense to let web.xml decide the session timeout and even if
we have the session listener (via web.xml declaration or Annotation), we
should not programatically try to override the setting.

Thanks and Regards,
Girish


On Thu, Jan 10, 2019 at 7:14 PM Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:

> Hi Deepak, Girish,
>
> I had a look at the issue. The specifications of Java Servlet
> Specification 3.0 don't include an annotation to change the session time
> out.
>
> https://www.baeldung.com/servlet-session-timeout
>
> https://stackoverflow.com/questions/20389833/session-timeout-config-with-no-web-xml-file
>
> I think the best solution is to put back what we had before, ie set it to
> a value (it was 1 hour before) in all web.xml file and remove the
>
> session.setMaxInactiveInterval(60*60); //in seconds
>
> line in ControlEventListener::sessionCreated
>
> I thought about keeping this line if a check to null for the session
> timeout value (from web.xml) was positive.
> But by default Tomcat sets it to 30 min (so it's never null) and it's
> possible but hard to change in OFBiz (eg to a known specific extraordinary
> value
> that could be checked instead of null as above)
> So it could be confusing and anyway best practice is to prefer convention
> over configuration, even if in this case it's much redundant.
>
> I think we can reopen OFBIZ-6655 and handle it there, with an explanation.
>
> Other ideas?
>
> Jacques
>
> Le 09/01/2019 à 10:11, Girish Vasmatkar a écrit :
> > Hi Deepak
> >
> > By the time sessionCreated is called in an HttpSessionListener, the
> session
> > has already been created. I am sure if you try to get the HttpSession
> from
> > the HttpSessionEvent object, it will have what you defined in
> >  tag.
> >
> > But the code is overriding the timeout using setMaxInactiveInterval to 1
> > hour that is why it is looking like web.xml is not being given
> > precedence over programmatic session configuration.
> >
> > Whether web.xml takes precedence over annotation does not apply in this
> > case because anyway the session timeout value is being overridden by the
> > code. The tomcat container definitely reads session-timeout from web.xml
> > and assigns timeout for the session accordingly. But since a listener is
> > configured for session lifecycle management, it invokes the method and
> > there the session value is being overridden.
> >
> > Try to set 2 minutes session timeout in web.xml and remove
> > session.setMaxInactiveInterval(60*60).
> > I would say you will be logged out after 2 minutes. If that is not the
> > case, pl let me know.
> >
> > I hope I understood your question and problem correctly.
> >
> > Best,
> > Girish
> >
> >
> >
> > On Wed, Jan 9, 2019 at 1:53 PM Deepak Nigam 
> > wrote:
> >
> >> Thanks, Jacques.
> >>
> >> Apart from the hardcoded thing, I am not able to override the session
> >> timeout value using  tag in web.xml.
> >>
> >> On Tue, Jan 8, 2019 at 1:55 PM Jacques Le Roux <
> >> jacques.le.r...@les7arts.com>
> >> wrote:
> >>
> >>> Hi Deepak,
> >>>
> >>> You are right, it's hardcoded and should not. I have no time to go
> >> further
> >>> at the moment, but I'll ASAP
> >>>
> >>> Thanks
> >>>
> >>> Jacques
> >>>
> >>> Le 08/01/2019 à 06:10, Deepak Nigam a écrit :
>  Hello all,
> 
>  I tried to set the session timeout for the 'ecommerce' and the
>  'webtools' components using  of web.xml, but unable to
> >> do
>  so. Session for the logged-in user remains active even after the set
> >>> time.
>  On further research, I found that we did some changes in this area in
> >> the
>  ticket OFBIZ-6655 .
> >> We
>  have hard coded the session timeout (1 hr) in the sessionCreated()
> >> method
>  of ControlEventListner class. As per the comments in the Jira ticket,
>  session timeout declarations in web.xml have been removed by the use
>  of @WebListner annotation. This is to avoid duplicates things
> >> everywhere
> >>> in
>  web.xml files. Since the web.xml files have precedence on annotations,
> >>> the
>  setting can be easily overridden when necessary.
> 
>  But the @WebListner is missing in the ControlEventListner class. Also,
> >> I
> >>> am
>  unable to override the session timeout in web.xml even after putting
> >> the
>  @WebListner annotation in ControlEventListner class.
> 
>  Please let me know if this is a real issue or I am doing something
> >> wrong?
>  Thanks & Regards
>  --
>  Deepak Nigam
>  HotWax Systems Pvt. Ltd.
> 
>

Re: Session timeout for webapps

2019-01-10 Thread Jacques Le Roux 

Hi Deepak, Girish,

I had a look at the issue. The specifications of Java Servlet Specification 3.0 
don't include an annotation to change the session time out.

   https://www.baeldung.com/servlet-session-timeout
   
https://stackoverflow.com/questions/20389833/session-timeout-config-with-no-web-xml-file

I think the best solution is to put back what we had before, ie set it to a 
value (it was 1 hour before) in all web.xml file and remove the

   session.setMaxInactiveInterval(60*60); //in seconds

line in ControlEventListener::sessionCreated

I thought about keeping this line if a check to null for the session timeout 
value (from web.xml) was positive.
But by default Tomcat sets it to 30 min (so it's never null) and it's possible but hard to change in OFBiz (eg to a known specific extraordinary value 
that could be checked instead of null as above)

So it could be confusing and anyway best practice is to prefer convention over 
configuration, even if in this case it's much redundant.

I think we can reopen OFBIZ-6655 and handle it there, with an explanation.

Other ideas?

Jacques

Le 09/01/2019 à 10:11, Girish Vasmatkar a écrit :

Hi Deepak

By the time sessionCreated is called in an HttpSessionListener, the session
has already been created. I am sure if you try to get the HttpSession from
the HttpSessionEvent object, it will have what you defined in
 tag.

But the code is overriding the timeout using setMaxInactiveInterval to 1
hour that is why it is looking like web.xml is not being given
precedence over programmatic session configuration.

Whether web.xml takes precedence over annotation does not apply in this
case because anyway the session timeout value is being overridden by the
code. The tomcat container definitely reads session-timeout from web.xml
and assigns timeout for the session accordingly. But since a listener is
configured for session lifecycle management, it invokes the method and
there the session value is being overridden.

Try to set 2 minutes session timeout in web.xml and remove
session.setMaxInactiveInterval(60*60).
I would say you will be logged out after 2 minutes. If that is not the
case, pl let me know.

I hope I understood your question and problem correctly.

Best,
Girish



On Wed, Jan 9, 2019 at 1:53 PM Deepak Nigam 
wrote:


Thanks, Jacques.

Apart from the hardcoded thing, I am not able to override the session
timeout value using  tag in web.xml.

On Tue, Jan 8, 2019 at 1:55 PM Jacques Le Roux <
jacques.le.r...@les7arts.com>
wrote:


Hi Deepak,

You are right, it's hardcoded and should not. I have no time to go

further

at the moment, but I'll ASAP

Thanks

Jacques

Le 08/01/2019 à 06:10, Deepak Nigam a écrit :

Hello all,

I tried to set the session timeout for the 'ecommerce' and the
'webtools' components using  of web.xml, but unable to

do

so. Session for the logged-in user remains active even after the set

time.

On further research, I found that we did some changes in this area in

the

ticket OFBIZ-6655 .

We

have hard coded the session timeout (1 hr) in the sessionCreated()

method

of ControlEventListner class. As per the comments in the Jira ticket,
session timeout declarations in web.xml have been removed by the use
of @WebListner annotation. This is to avoid duplicates things

everywhere

in

web.xml files. Since the web.xml files have precedence on annotations,

the

setting can be easily overridden when necessary.

But the @WebListner is missing in the ControlEventListner class. Also,

I

am

unable to override the session timeout in web.xml even after putting

the

@WebListner annotation in ControlEventListner class.

Please let me know if this is a real issue or I am doing something

wrong?

Thanks & Regards
--
Deepak Nigam
HotWax Systems Pvt. Ltd.

Re: Session timeout for webapps

2019-01-09 Thread Jacques Le Roux 

Thanks Girish,

I saw your message after sending about creating a Jira and asking for ideas. This sounds like the ideas I was looking for and I can foresee an 
implementation


Jacques

Le 09/01/2019 à 10:11, Girish Vasmatkar a écrit :

Hi Deepak

By the time sessionCreated is called in an HttpSessionListener, the session
has already been created. I am sure if you try to get the HttpSession from
the HttpSessionEvent object, it will have what you defined in
 tag.

But the code is overriding the timeout using setMaxInactiveInterval to 1
hour that is why it is looking like web.xml is not being given
precedence over programmatic session configuration.

Whether web.xml takes precedence over annotation does not apply in this
case because anyway the session timeout value is being overridden by the
code. The tomcat container definitely reads session-timeout from web.xml
and assigns timeout for the session accordingly. But since a listener is
configured for session lifecycle management, it invokes the method and
there the session value is being overridden.

Try to set 2 minutes session timeout in web.xml and remove
session.setMaxInactiveInterval(60*60).
I would say you will be logged out after 2 minutes. If that is not the
case, pl let me know.

I hope I understood your question and problem correctly.

Best,
Girish



On Wed, Jan 9, 2019 at 1:53 PM Deepak Nigam 
wrote:


Thanks, Jacques.

Apart from the hardcoded thing, I am not able to override the session
timeout value using  tag in web.xml.

On Tue, Jan 8, 2019 at 1:55 PM Jacques Le Roux <
jacques.le.r...@les7arts.com>
wrote:


Hi Deepak,

You are right, it's hardcoded and should not. I have no time to go

further

at the moment, but I'll ASAP

Thanks

Jacques

Le 08/01/2019 à 06:10, Deepak Nigam a écrit :

Hello all,

I tried to set the session timeout for the 'ecommerce' and the
'webtools' components using  of web.xml, but unable to

do

so. Session for the logged-in user remains active even after the set

time.

On further research, I found that we did some changes in this area in

the

ticket OFBIZ-6655 .

We

have hard coded the session timeout (1 hr) in the sessionCreated()

method

of ControlEventListner class. As per the comments in the Jira ticket,
session timeout declarations in web.xml have been removed by the use
of @WebListner annotation. This is to avoid duplicates things

everywhere

in

web.xml files. Since the web.xml files have precedence on annotations,

the

setting can be easily overridden when necessary.

But the @WebListner is missing in the ControlEventListner class. Also,

I

am

unable to override the session timeout in web.xml even after putting

the

@WebListner annotation in ControlEventListner class.

Please let me know if this is a real issue or I am doing something

wrong?

Thanks & Regards
--
Deepak Nigam
HotWax Systems Pvt. Ltd.

Re: Session timeout for webapps

2019-01-09 Thread Jacques Le Roux 

Hi Deepak,

I'll soon create a Jira and have a look at it. All ideas are welcome ;)

Jacques

Le 09/01/2019 à 09:16, Deepak Nigam a écrit :

Thanks, Jacques.

Apart from the hardcoded thing, I am not able to override the session
timeout value using  tag in web.xml.

On Tue, Jan 8, 2019 at 1:55 PM Jacques Le Roux 
wrote:


Hi Deepak,

You are right, it's hardcoded and should not. I have no time to go further
at the moment, but I'll ASAP

Thanks

Jacques

Le 08/01/2019 à 06:10, Deepak Nigam a écrit :

Hello all,

I tried to set the session timeout for the 'ecommerce' and the
'webtools' components using  of web.xml, but unable to do
so. Session for the logged-in user remains active even after the set

time.

On further research, I found that we did some changes in this area in the
ticket OFBIZ-6655 . We
have hard coded the session timeout (1 hr) in the sessionCreated() method
of ControlEventListner class. As per the comments in the Jira ticket,
session timeout declarations in web.xml have been removed by the use
of @WebListner annotation. This is to avoid duplicates things everywhere

in

web.xml files. Since the web.xml files have precedence on annotations,

the

setting can be easily overridden when necessary.

But the @WebListner is missing in the ControlEventListner class. Also, I

am

unable to override the session timeout in web.xml even after putting the
@WebListner annotation in ControlEventListner class.

Please let me know if this is a real issue or I am doing something wrong?

Thanks & Regards
--
Deepak Nigam
HotWax Systems Pvt. Ltd.

Re: Session timeout for webapps

2019-01-09 Thread Girish Vasmatkar 
Hi Deepak

By the time sessionCreated is called in an HttpSessionListener, the session
has already been created. I am sure if you try to get the HttpSession from
the HttpSessionEvent object, it will have what you defined in
 tag.

But the code is overriding the timeout using setMaxInactiveInterval to 1
hour that is why it is looking like web.xml is not being given
precedence over programmatic session configuration.

Whether web.xml takes precedence over annotation does not apply in this
case because anyway the session timeout value is being overridden by the
code. The tomcat container definitely reads session-timeout from web.xml
and assigns timeout for the session accordingly. But since a listener is
configured for session lifecycle management, it invokes the method and
there the session value is being overridden.

Try to set 2 minutes session timeout in web.xml and remove
session.setMaxInactiveInterval(60*60).
I would say you will be logged out after 2 minutes. If that is not the
case, pl let me know.

I hope I understood your question and problem correctly.

Best,
Girish



On Wed, Jan 9, 2019 at 1:53 PM Deepak Nigam 
wrote:

> Thanks, Jacques.
>
> Apart from the hardcoded thing, I am not able to override the session
> timeout value using  tag in web.xml.
>
> On Tue, Jan 8, 2019 at 1:55 PM Jacques Le Roux <
> jacques.le.r...@les7arts.com>
> wrote:
>
> > Hi Deepak,
> >
> > You are right, it's hardcoded and should not. I have no time to go
> further
> > at the moment, but I'll ASAP
> >
> > Thanks
> >
> > Jacques
> >
> > Le 08/01/2019 à 06:10, Deepak Nigam a écrit :
> > > Hello all,
> > >
> > > I tried to set the session timeout for the 'ecommerce' and the
> > > 'webtools' components using  of web.xml, but unable to
> do
> > > so. Session for the logged-in user remains active even after the set
> > time.
> > >
> > > On further research, I found that we did some changes in this area in
> the
> > > ticket OFBIZ-6655 .
> We
> > > have hard coded the session timeout (1 hr) in the sessionCreated()
> method
> > > of ControlEventListner class. As per the comments in the Jira ticket,
> > > session timeout declarations in web.xml have been removed by the use
> > > of @WebListner annotation. This is to avoid duplicates things
> everywhere
> > in
> > > web.xml files. Since the web.xml files have precedence on annotations,
> > the
> > > setting can be easily overridden when necessary.
> > >
> > > But the @WebListner is missing in the ControlEventListner class. Also,
> I
> > am
> > > unable to override the session timeout in web.xml even after putting
> the
> > > @WebListner annotation in ControlEventListner class.
> > >
> > > Please let me know if this is a real issue or I am doing something
> wrong?
> > >
> > > Thanks & Regards
> > > --
> > > Deepak Nigam
> > > HotWax Systems Pvt. Ltd.
> > >
> >
>

Re: Session timeout for webapps

2019-01-09 Thread Deepak Nigam 
Thanks, Jacques.

Apart from the hardcoded thing, I am not able to override the session
timeout value using  tag in web.xml.

On Tue, Jan 8, 2019 at 1:55 PM Jacques Le Roux 
wrote:

> Hi Deepak,
>
> You are right, it's hardcoded and should not. I have no time to go further
> at the moment, but I'll ASAP
>
> Thanks
>
> Jacques
>
> Le 08/01/2019 à 06:10, Deepak Nigam a écrit :
> > Hello all,
> >
> > I tried to set the session timeout for the 'ecommerce' and the
> > 'webtools' components using  of web.xml, but unable to do
> > so. Session for the logged-in user remains active even after the set
> time.
> >
> > On further research, I found that we did some changes in this area in the
> > ticket OFBIZ-6655 . We
> > have hard coded the session timeout (1 hr) in the sessionCreated() method
> > of ControlEventListner class. As per the comments in the Jira ticket,
> > session timeout declarations in web.xml have been removed by the use
> > of @WebListner annotation. This is to avoid duplicates things everywhere
> in
> > web.xml files. Since the web.xml files have precedence on annotations,
> the
> > setting can be easily overridden when necessary.
> >
> > But the @WebListner is missing in the ControlEventListner class. Also, I
> am
> > unable to override the session timeout in web.xml even after putting the
> > @WebListner annotation in ControlEventListner class.
> >
> > Please let me know if this is a real issue or I am doing something wrong?
> >
> > Thanks & Regards
> > --
> > Deepak Nigam
> > HotWax Systems Pvt. Ltd.
> >
>

Re: Session timeout for webapps

2019-01-08 Thread Jacques Le Roux 

Hi Deepak,

You are right, it's hardcoded and should not. I have no time to go further at 
the moment, but I'll ASAP

Thanks

Jacques

Le 08/01/2019 à 06:10, Deepak Nigam a écrit :

Hello all,

I tried to set the session timeout for the 'ecommerce' and the
'webtools' components using  of web.xml, but unable to do
so. Session for the logged-in user remains active even after the set time.

On further research, I found that we did some changes in this area in the
ticket OFBIZ-6655 . We
have hard coded the session timeout (1 hr) in the sessionCreated() method
of ControlEventListner class. As per the comments in the Jira ticket,
session timeout declarations in web.xml have been removed by the use
of @WebListner annotation. This is to avoid duplicates things everywhere in
web.xml files. Since the web.xml files have precedence on annotations, the
setting can be easily overridden when necessary.

But the @WebListner is missing in the ControlEventListner class. Also, I am
unable to override the session timeout in web.xml even after putting the
@WebListner annotation in ControlEventListner class.

Please let me know if this is a real issue or I am doing something wrong?

Thanks & Regards
--
Deepak Nigam
HotWax Systems Pvt. Ltd.