Re: MaxInactiveInterval
On 06/11/2016 11:24, André Warnier (tomcat) wrote: > On 04.11.2016 20:06, Mark Thomas wrote: >> I did say "patches welcome" to André but since he is a committer that >> should have been "commits welcome" ;) >> > > Guys, you all know my level of (in)competence in matters deeply Java. You might be surprised at just how little Java I knew when I was made a committer. > I got my kudos by trying to help people in a general sense here, but > when things seem to involve specific parts deep down the Tomcat code, I > have to call for help. As always, happy to provide pointers. This should end up as a docs fix which I'd encourage you to consider tackling yourself. > What I know is this, from the Servlet Specs 3.0 final : > > quote > > 12. session-config Element > > The session-config defines the session parameters for this Web application. > The sub-element *session-timeout* defines the default session time out > interval > for all sessions created in this Web application. The specified time out > must be > expressed in a whole number of minutes. If the time out is 0 or less, > the container > ensures the default behavior of sessions is never to time out. If this > element is not > specified, the container must set its default time out period. > > unquote > > So it appears that there is a difference between : > - the WEB-INF/web.xml of a webapp specifying a session-timeout > 0, in > minutes > - the WEB-INF/web.xml of a webapp specifying a session-timeout =< 0 > (meaning, no timeout or "infinite") > - the WEB-INF/web.xml of a webapp not specifying a session-timeout > (container should supply a default value) > > Which thus raises the question : if a web application does not set the > session-timeout, what value is returned by Tomcat for > getMaxInactiveInterval() ? > > And the auxiliary question : can this (default) value be set somewhere > in the configuration, or is this set in code ? > > (Or is that the one that is set in (tomcat)/conf/web.xml : > > 30 > > ?) You are correct. The value from conf/web.xml provides the default if the application's web.xml does not provide one. > (and what happens if we remove that stanza from conf/web.xml ?) There is a hard-coded default of 30 minutes (i.e. the same as the explicit default in conf/web.xml) in o.a.catalina.core.StandardConetxt. All of the above assumes that the standard components are being used. Custom session managers, session implementations and/or Contexts could all modify this behaviour. To add to the fun, there is, effectively, an undocumented attribute on Context - sessionTimeout - that could also be set in server.xml / context.xml. Overall, the order of precedence should be: - application specific web.xml - conf/web.xml default - sessionTimeout attribute on Context - hard-coded default. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: MaxInactiveInterval
On 04.11.2016 20:06, Mark Thomas wrote: On 04/11/2016 15:53, Caldarale, Charles R wrote: From: Mark Thomas [mailto:ma...@apache.org] Subject: Re: MaxInactiveInterval On 04/11/2016 15:07, André Warnier (tomcat) wrote: A log message in an application running under Tomcat 8 mentions the "MaxInactiveInterval" setting, saying that it is a bit short.. I think that I understand the meaning of the setting (the time for which a session remains valid, even without interactions). But where in the webapp context, and under what name, should an equivalent parameter be specified ? Set it in web.xml. Same with distributable. This really appears to be a problem in the servlet spec (not surprising), which mentions the getMaxInactiveInterval() and setMaxInactiveInterval() APIs but only vaguely ties them to the session-timeout element of session-config. Tomcat doc does not normally describe the nuances of the servlet spec, but something that associates the config name with the API might be useful. To be fair, Tomcat isn't helping here. We used to have these attributes on the (session) manager but we removed with the expectation that they would be configured in web.xml. We could have done a better job of pointing to the expected locations. I did say "patches welcome" to André but since he is a committer that should have been "commits welcome" ;) Guys, you all know my level of (in)competence in matters deeply Java. I got my kudos by trying to help people in a general sense here, but when things seem to involve specific parts deep down the Tomcat code, I have to call for help. What I know is this, from the Servlet Specs 3.0 final : quote 12. session-config Element The session-config defines the session parameters for this Web application. The sub-element *session-timeout* defines the default session time out interval for all sessions created in this Web application. The specified time out must be expressed in a whole number of minutes. If the time out is 0 or less, the container ensures the default behavior of sessions is never to time out. If this element is not specified, the container must set its default time out period. unquote So it appears that there is a difference between : - the WEB-INF/web.xml of a webapp specifying a session-timeout > 0, in minutes - the WEB-INF/web.xml of a webapp specifying a session-timeout =< 0 (meaning, no timeout or "infinite") - the WEB-INF/web.xml of a webapp not specifying a session-timeout (container should supply a default value) Which thus raises the question : if a web application does not set the session-timeout, what value is returned by Tomcat for getMaxInactiveInterval() ? And the auxiliary question : can this (default) value be set somewhere in the configuration, or is this set in code ? (Or is that the one that is set in (tomcat)/conf/web.xml : 30 ?) (and what happens if we remove that stanza from conf/web.xml ?) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: MaxInactiveInterval
On 04/11/2016 15:53, Caldarale, Charles R wrote: >> From: Mark Thomas [mailto:ma...@apache.org] Subject: Re: >> MaxInactiveInterval > >> On 04/11/2016 15:07, André Warnier (tomcat) wrote: >>> A log message in an application running under Tomcat 8 mentions >>> the "MaxInactiveInterval" setting, saying that it is a bit >>> short.. >>> >>> I think that I understand the meaning of the setting (the time >>> for which a session remains valid, even without interactions). >>> But where in the webapp context, and under what name, should an >>> equivalent parameter be specified ? > >> Set it in web.xml. Same with distributable. > > This really appears to be a problem in the servlet spec (not > surprising), which mentions the getMaxInactiveInterval() and > setMaxInactiveInterval() APIs but only vaguely ties them to the > session-timeout element of session-config. Tomcat doc does not > normally describe the nuances of the servlet spec, but something that > associates the config name with the API might be useful. To be fair, Tomcat isn't helping here. We used to have these attributes on the (session) manager but we removed with the expectation that they would be configured in web.xml. We could have done a better job of pointing to the expected locations. I did say "patches welcome" to André but since he is a committer that should have been "commits welcome" ;) Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: MaxInactiveInterval
> From: Mark Thomas [mailto:ma...@apache.org] > Subject: Re: MaxInactiveInterval > On 04/11/2016 15:07, André Warnier (tomcat) wrote: > > A log message in an application running under Tomcat 8 mentions the > > "MaxInactiveInterval" setting, saying that it is a bit short.. > > > > I think that I understand the meaning of the setting (the time for which > > a session remains valid, even without interactions). > > But where in the webapp context, and under what name, should an > > equivalent parameter be specified ? > Set it in web.xml. Same with distributable. This really appears to be a problem in the servlet spec (not surprising), which mentions the getMaxInactiveInterval() and setMaxInactiveInterval() APIs but only vaguely ties them to the session-timeout element of session-config. Tomcat doc does not normally describe the nuances of the servlet spec, but something that associates the config name with the API might be useful. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: MaxInactiveInterval
On 04/11/2016 15:07, André Warnier (tomcat) wrote: > Hi. > > A log message in an application running under Tomcat 8 mentions the > "MaxInactiveInterval" setting, saying that it is a bit short.. > > The only place in the Tomcat 8 documentation where I find this setting, > is in > https://tomcat.apache.org/tomcat-8.0-doc/config/manager.html > where it says that this is deprecated, and should be set in the Context. > > However, the page at : > https://tomcat.apache.org/tomcat-8.0-doc/config/context.html > does not mention that parameter at all. > > Deep puzzlement. > What is this all about ? > > I think that I understand the meaning of the setting (the time for which > a session remains valid, even without interactions). > But where in the webapp context, and under what name, should an > equivalent parameter be specified ? Set it in web.xml. Same with distributable. Docs patches welcome. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
MaxInactiveInterval
Hi. A log message in an application running under Tomcat 8 mentions the "MaxInactiveInterval" setting, saying that it is a bit short.. The only place in the Tomcat 8 documentation where I find this setting, is in https://tomcat.apache.org/tomcat-8.0-doc/config/manager.html where it says that this is deprecated, and should be set in the Context. However, the page at : https://tomcat.apache.org/tomcat-8.0-doc/config/context.html does not mention that parameter at all. Deep puzzlement. What is this all about ? I think that I understand the meaning of the setting (the time for which a session remains valid, even without interactions). But where in the webapp context, and under what name, should an equivalent parameter be specified ? Thanks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: session-timeout and maxInactiveInterval
On 21/06/2016 03:54, mw...@loftware.com wrote: > > >> -Original Message- >> From: Mark Thomas [mailto:ma...@apache.org] >> Sent: Monday, June 20, 2016 11:32 AM >> To: Tomcat Users List <users@tomcat.apache.org> >> Subject: Re: session-timeout and maxInactiveInterval >> >> On 20/06/2016 16:00, mw...@loftware.com wrote: >>> We are running 7.0.69 and Java 1.8.0_91. >>> >>> We ran into an incident at a customer where the customer had set >>> session-timeout to 0 – which according to the servlet 3.0 spec, the >>> session should never time out. However, the customer was basically >>> seeing the session timeout immediately. When we changed >>> session-timeout to a larger number (30) and restarted, the problem >> immediately went away. >> >> Set how? >> >> I've looked through the code and everything looks OK. >> >> What is the simplest possible test case that demonstrates this with a clean >> Tomcat install? (I'm thinking of something along the lines of changing the >> timeout in the web.xml for the examples app and adding a JSP that >> demonstrates the problem.) >> >> Mark >> > > +1 > Touche, barking up the wrong tree here. Turns out to be an issue with > Granite, for some reason using the Tomcat parameters, but using them wrong > (fortunately we were able to work around the bug). > > Sorry to waste your time. Not at all. The question and answer is in the archives and could well proof to provide a useful clue to someone facing a similar issue in the future. Mark > > >>> >>> >>> >>> It looks like setMaxInactiveInterval _/may/_ be using the value of >>> session-timeout if it is not explicitly set, and if so, is not >>> handling the session-timeout = 0 case specially. It also looks like >>> maxInactiveInterval is really controlling the lifetime of the session. >>> But I have also not been through the Tomcat code often, so I am not >>> 100% sure I’m looking in the right spot. >>> >>> >>> >>> Has anyone seen this issue before? Am I misinterpreting something? >>> >>> >>> >>> Thanks, >>> >>> >>> >>> Mark >>> >>> >>> >>> >>> >>> The Top 5 Trends in Enterprise Labeling for 2016 >>> <http://resources.loftware.com/2016-Top-5-Trends-Enterprise-Labeling.h >>> tml> >>> -- >>> -- >>> <http://www.loftware.com> >>> >>> 249 Corporate Drive, Portsmouth, NH 03801 >>> Website: loftware.com <http://www.loftware.com/> Connect with us: >>> Twitter <https://twitter.com/#!/LoftwareInc> | LinkedIn >>> <http://www.linkedin.com/company/loftware> | Google+ >>> <https://plus.google.com/116786447658424744021/posts> >>> What is Enterprise Labeling? >>> <http://loftware.com/topics/what-is-enterprise-labeling.cfm> Why it's >>> essential for global businesses. >>> Visit the Enterprise Labeling Blog for all of your industry news >>> >> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: session-timeout and maxInactiveInterval
> -Original Message- > From: Mark Thomas [mailto:ma...@apache.org] > Sent: Monday, June 20, 2016 11:32 AM > To: Tomcat Users List <users@tomcat.apache.org> > Subject: Re: session-timeout and maxInactiveInterval > > On 20/06/2016 16:00, mw...@loftware.com wrote: > > We are running 7.0.69 and Java 1.8.0_91. > > > > We ran into an incident at a customer where the customer had set > > session-timeout to 0 – which according to the servlet 3.0 spec, the > > session should never time out. However, the customer was basically > > seeing the session timeout immediately. When we changed > > session-timeout to a larger number (30) and restarted, the problem > immediately went away. > > Set how? > > I've looked through the code and everything looks OK. > > What is the simplest possible test case that demonstrates this with a clean > Tomcat install? (I'm thinking of something along the lines of changing the > timeout in the web.xml for the examples app and adding a JSP that > demonstrates the problem.) > > Mark > +1 Touche, barking up the wrong tree here. Turns out to be an issue with Granite, for some reason using the Tomcat parameters, but using them wrong (fortunately we were able to work around the bug). Sorry to waste your time. > > > > > > > > It looks like setMaxInactiveInterval _/may/_ be using the value of > > session-timeout if it is not explicitly set, and if so, is not > > handling the session-timeout = 0 case specially. It also looks like > > maxInactiveInterval is really controlling the lifetime of the session. > > But I have also not been through the Tomcat code often, so I am not > > 100% sure I’m looking in the right spot. > > > > > > > > Has anyone seen this issue before? Am I misinterpreting something? > > > > > > > > Thanks, > > > > > > > > Mark > > > > > > > > > > > > The Top 5 Trends in Enterprise Labeling for 2016 > > <http://resources.loftware.com/2016-Top-5-Trends-Enterprise-Labeling.h > > tml> > > -- > > -- > > <http://www.loftware.com> > > > > 249 Corporate Drive, Portsmouth, NH 03801 > > Website: loftware.com <http://www.loftware.com/> Connect with us: > > Twitter <https://twitter.com/#!/LoftwareInc> | LinkedIn > > <http://www.linkedin.com/company/loftware> | Google+ > > <https://plus.google.com/116786447658424744021/posts> > > What is Enterprise Labeling? > > <http://loftware.com/topics/what-is-enterprise-labeling.cfm> Why it's > > essential for global businesses. > > Visit the Enterprise Labeling Blog for all of your industry news > > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org
Re: session-timeout and maxInactiveInterval
On 20/06/2016 16:00, mw...@loftware.com wrote: > We are running 7.0.69 and Java 1.8.0_91. > > We ran into an incident at a customer where the customer had set > session-timeout to 0 – which according to the servlet 3.0 spec, the > session should never time out. However, the customer was basically > seeing the session timeout immediately. When we changed session-timeout > to a larger number (30) and restarted, the problem immediately went away. Set how? I've looked through the code and everything looks OK. What is the simplest possible test case that demonstrates this with a clean Tomcat install? (I'm thinking of something along the lines of changing the timeout in the web.xml for the examples app and adding a JSP that demonstrates the problem.) Mark > > > > It looks like setMaxInactiveInterval _/may/_ be using the value of > session-timeout if it is not explicitly set, and if so, is not handling > the session-timeout = 0 case specially. It also looks like > maxInactiveInterval is really controlling the lifetime of the session. > But I have also not been through the Tomcat code often, so I am not > 100% sure I’m looking in the right spot. > > > > Has anyone seen this issue before? Am I misinterpreting something? > > > > Thanks, > > > > Mark > > > > > > The Top 5 Trends in Enterprise Labeling for 2016 > <http://resources.loftware.com/2016-Top-5-Trends-Enterprise-Labeling.html> > > <http://www.loftware.com> > > 249 Corporate Drive, Portsmouth, NH 03801 > Website: loftware.com <http://www.loftware.com/> > Connect with us: Twitter <https://twitter.com/#!/LoftwareInc> | LinkedIn > <http://www.linkedin.com/company/loftware> | Google+ > <https://plus.google.com/116786447658424744021/posts> > What is Enterprise Labeling? > <http://loftware.com/topics/what-is-enterprise-labeling.cfm> Why it's > essential for global businesses. > Visit the Enterprise Labeling Blog for all of your industry news > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
session-timeout and maxInactiveInterval
We are running 7.0.69 and Java 1.8.0_91. We ran into an incident at a customer where the customer had set session-timeout to 0 - which according to the servlet 3.0 spec, the session should never time out. However, the customer was basically seeing the session timeout immediately. When we changed session-timeout to a larger number (30) and restarted, the problem immediately went away. It looks like setMaxInactiveInterval _may_ be using the value of session-timeout if it is not explicitly set, and if so, is not handling the session-timeout = 0 case specially. It also looks like maxInactiveInterval is really controlling the lifetime of the session. But I have also not been through the Tomcat code often, so I am not 100% sure I'm looking in the right spot. Has anyone seen this issue before? Am I misinterpreting something? Thanks, Mark
session-timeout vs. maxInactiveInterval
Question. I have been looking around the Net for information about the items in the subject and tomcat; it appears that they are actually the same thing(I'm not sure I'm understanding the docs correctly). So then, what is the difference between the session-timeout that's set in a tomcat's web.xml or an application's web.xml and the maxInactiveInterval attribute of Manager in the context.xml file for a particular application? Are these values interchangable, or does one supercede the other? Thanks! -- Lynn Hollerman. Office of Information Systems University of Louisiana - Lafayette 337-482-6466 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: session-timeout vs. maxInactiveInterval
From: Lynn Hollerman [mailto:gmh2...@louisiana.edu] Subject: session-timeout vs. maxInactiveInterval I have been looking around the Net for information about the items in the subject and tomcat; it appears that they are actually the same thing Pretty much. The Manager setting is used if the web.xml does not contain a session-timeout value. Note the following from the servlet spec description of session-timeout: If this element is not specified, the container must set its default timeout period. Since Tomcat supplies a session-timeout element in the global conf/web.xml, you would have to remove that before the Manager setting became effective. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org