Re: Tomcat 7 : Configure redirect url for session timeout
It is not feasible to determine the difference between a timed-out session and a user who had no session to begin with. Couldn't you use the presence/absence of a session id cookie? Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 : Configure redirect url for session timeout
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Chris, On 3/18/14, 7:31 AM, chris derham wrote: It is not feasible to determine the difference between a timed-out session and a user who had no session to begin with. Couldn't you use the presence/absence of a session id cookie? Not really. What's the difference between a JSESSIONID being there 2 minutes after a /true/ session time-out versus one that the client is sending 30 days after the session time out? There are so many reasons that the client and server can get out of sync with (non-stored, as is the default) cookies that you really can't make any real guesses about the true state of the world. All you know is that a client-requested session id does match a currently-valid session. Remember that you can't trust anything that the client sends you, really. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTKFDkAAoJEBzwKT+lPKRYLFgQAI3FNdNfzBr2THuHCZAi4dfh 7JdMEQh8QJGXyPOAYirnhJIiiS2aoGhjHMwq8h6FLj+Jfd84pFUYHQytGww0rSqS bqZxQbaEePNT58AHqzKwzl+NfNDTac6A978mtXJJ9OpPgxVzexkHjGoP1b/yDtFI CL1PRudg+yO1IbNHSKsSqADoVv+sMR2YuiXB4+0HaHIXGGORbQoAFBeiChHcsAzX JXskHUicFzs6oemlAtttc44seCuDwx8mDcKnid0Ad8P2vgtWxKvu6cvYEPWOuEYU asptvvUNipcfaMU+d3fgaWAj184EXL8jO0krmbT/gPNW1C39WNGBXfvEZiNfNrwk CeH3foQT19uNG+OGTlUZc/eR64g7vMWY4caxLJUm3fXi2Z4PZeFPE5nYoDuKHn6L tF2hyyp8pLxbeCC6vkqh3oBElz/LdgCSSyz314HIC/OO5z6T9FzMWT+HtzVLOkFA 5wCkHswh1OED083Q2ysaGVtbg3A39hYWDN3MxfIpmFZB1kFyZopStvqf5dlBwukH m/6+iuwAdj/aMvhcmk8EJ6NcC0hGw+Jp71/pe0QsBx9uV9FhaC4Nkf50qpB/bGtn mEmOSEHHKRmEaOpQswIv1IfRaUOCCmLA9rCT8osmxzfaWc7ddMKS/GS7rWTKLNZh MxERN0TUbkdnjJv1ngfL =Jzjq -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 : Configure redirect url for session timeout
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Akash, On 3/14/14, 7:18 PM, Akash Jain wrote: I want to redirect user to / with a query parameter to indicate that session has timed out. On Fri, Mar 14, 2014 at 4:01 PM, Leo Donahue donahu...@gmail.com wrote: On Fri, Mar 14, 2014 at 3:48 PM, Akash Jain akash.delh...@gmail.com wrote: Leo, If any request comes after session timeout interval ... why would it go into error ? Perhaps because the request/response that was created with a session is no longer valid after the session timeout. What other option would you have if not an error-page? It is not feasible to determine the difference between a timed-out session and a user who had no session to begin with. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTJ0wfAAoJEBzwKT+lPKRYO1QP/2jeAUlyIM6zSOA7LBkrsplS Wypf2zi65W9DM/aQn8V8CU8biDtA+zLUPpVQy5ntb2FMQ0fsW6nECItM36ATy79x xJvbGT51ySicNXTtvAgUJsnbGZOYlVy2W4Uo7VqxSAs8qjbsQaqly1YjmUtIpQRG ctHa48u6qwcQUVnVceL3xwDxZ8flMcaPu+9+ddILoRUNWYEGmKPkspsvKRFMfVgQ lsWtvzeW97mbS7+9CL+p/egcoe4JhVWLAYQW1w+wdoWT1R5Jds/gnCDuVaH+Y6Mi KiLPJ8ew99d3HF9BxxKDrk4fqgMgUkhZVI2WHzl/Y+o7oiiOBXpaVlqQ6gE4B48I 7e9gTodQBPY597N0ZdgYIRLML6U12wNAV32OLwVwGo/kjKqV/22b/E0YWjOvI6z9 9+djxnz8JTYlbKM+PlTBDsN5/zwz90WtmA38ZoyHffyrlGiDKKjOSvlOkSjtEzTj z6naV8InGrNd0Hmmc7AfDhaGwTJMKAmJWs5dYlfPb+FmSa8al9yRZHLTS/mOAL8f H+Vsic2ZfkBHpzIj9sQRz6V/7lurvV59hrBKpqck7wvr6GfgwaU8+cPE4c8rnilw Ut5qM6/7oh6nDJIliVL/+xY/s1+CnHAz+xSEDB0u1J91XW7kE7TByKyknzBsTYQS 1jRAmLmiEPIIKzzZxPhu =lf10 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 : Configure redirect url for session timeout
On 3/14/2014 6:18 PM, Akash Jain wrote: I want to redirect user to / with a query parameter to indicate that session has timed out. On Fri, Mar 14, 2014 at 4:01 PM, Leo Donahue donahu...@gmail.com wrote: On Fri, Mar 14, 2014 at 3:48 PM, Akash Jain akash.delh...@gmail.com wrote: Leo, If any request comes after session timeout interval ... why would it go into error ? Perhaps because the request/response that was created with a session is no longer valid after the session timeout. What other option would you have if not an error-page? Hi, Akash- Seems like a fairly simple filter could handle this by redirecting to the home page if the session is invalid and the home page isn't already the target. -Terence Bandoian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 : Configure redirect url for session timeout
On 3/14/2014 4:18 PM, Akash Jain wrote: I want to redirect user to / with a query parameter to indicate that session has timed out. I don't follow you. What do you mean by use a query parameter? You want to display a notification to the user in the URL? Do you mean like this: http://www.myhomepage.com/?notice=sessiontimeout - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 : Configure redirect url for session timeout
On Fri, Mar 14, 2014 at 3:04 PM, Akash Jain akash.delh...@gmail.com wrote: I have following configuration in `web.xml` in tomcat 7. I am wondering if I can add any configurable parameter here, so that if user tries to do any operation post 30 minutes, I redirect the user to our home page. session-config session-timeout30/session-timeout cookie-config domainmydomain.mycompany.com/domain http-onlytrue/http-only securefalse/secure /cookie-config tracking-modeCOOKIE/tracking-mode /session-config My first thought is you could catch the error in web.xml using an error-page and error-code 408, and then use a location to redirect? http://tomcat.apache.org/tomcat-7.0-doc/servletapi/javax/servlet/http/HttpServletResponse.html
Re: Tomcat 7 : Configure redirect url for session timeout
Leo, If any request comes after session timeout interval ... why would it go into error ? I want to keep the session timeout and error scenarios different. On Fri, Mar 14, 2014 at 3:34 PM, Leo Donahue donahu...@gmail.com wrote: On Fri, Mar 14, 2014 at 3:04 PM, Akash Jain akash.delh...@gmail.com wrote: I have following configuration in `web.xml` in tomcat 7. I am wondering if I can add any configurable parameter here, so that if user tries to do any operation post 30 minutes, I redirect the user to our home page. session-config session-timeout30/session-timeout cookie-config domainmydomain.mycompany.com/domain http-onlytrue/http-only securefalse/secure /cookie-config tracking-modeCOOKIE/tracking-mode /session-config My first thought is you could catch the error in web.xml using an error-page and error-code 408, and then use a location to redirect? http://tomcat.apache.org/tomcat-7.0-doc/servletapi/javax/servlet/http/HttpServletResponse.html
Re: Tomcat 7 : Configure redirect url for session timeout
On Fri, Mar 14, 2014 at 3:48 PM, Akash Jain akash.delh...@gmail.comwrote: Leo, If any request comes after session timeout interval ... why would it go into error ? Perhaps because the request/response that was created with a session is no longer valid after the session timeout. What other option would you have if not an error-page?
Re: Tomcat 7 : Configure redirect url for session timeout
I want to redirect user to / with a query parameter to indicate that session has timed out. On Fri, Mar 14, 2014 at 4:01 PM, Leo Donahue donahu...@gmail.com wrote: On Fri, Mar 14, 2014 at 3:48 PM, Akash Jain akash.delh...@gmail.com wrote: Leo, If any request comes after session timeout interval ... why would it go into error ? Perhaps because the request/response that was created with a session is no longer valid after the session timeout. What other option would you have if not an error-page?