Re: Tomcat 7 Session Persistence disable not working as expected
2014-03-10 10:58 GMT+04:00 Akash Jain akash.delh...@gmail.com: Christopher, I have changed in server.xml. Below is the server.xml part - Context path= docBase=ROOT sessionCookieName=mycookie sessionCookieDomain=myapp.mydomain.com sessionCookiePath=/ useHttpOnly=true reloadable=false WatchedResourceWEB-INF/web.xml/WatchedResource Manager pathname= / !-- Disables session persistence -- /Context As indicated above, I write JSESSIONID in mycookie cookie. Even after restart, the JSESSIONID is not getting invalidated. Before and after restart of apache, I can keep browsing the site with the same JSESSIONID in cookie. This behaviour is expected for sessionCookiePath=/. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 Session Persistence disable not working as expected
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Konstantin, On 3/11/14, 8:46 AM, Konstantin Kolinko wrote: 2014-03-10 10:58 GMT+04:00 Akash Jain akash.delh...@gmail.com: Christopher, I have changed in server.xml. Below is the server.xml part - Context path= docBase=ROOT sessionCookieName=mycookie sessionCookieDomain=myapp.mydomain.com sessionCookiePath=/ useHttpOnly=true reloadable=false WatchedResourceWEB-INF/web.xml/WatchedResource Manager pathname= / !-- Disables session persistence -- /Context As indicated above, I write JSESSIONID in mycookie cookie. Even after restart, the JSESSIONID is not getting invalidated. Before and after restart of apache, I can keep browsing the site with the same JSESSIONID in cookie. This behaviour is expected for sessionCookiePath=/. Also: 1. The client is responsible for expiring cookies, not the server 2. A client request for a session does not imply that the session is still valid on the server - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTH0NCAAoJEBzwKT+lPKRY+voP/2PxEkMZiPrMFqmlcHSoSNeg IY8+Jb+8gyuJozMqQCxibjOWTxsErwZC/X0yPrWNUtGhWi+PkpRHCghQjO2vRlgm y7fatI0yeT1ZE8FuRVWbtDcCywjgA4hhqM0yJJ7Uh6WWLnN6q7wdFbcA35QjC8N/ 4zFk+Pca6JejFGL9kQGj4IsK/zihAIJeaM2mjusI6E4jc0/1nIEKa3/f63UjStgM hfIWZoBdhLUs7z0HVJP9rrr7CoHcemnl+OC1/0hNermNMJKO3jf1WUSa1X1N7Iqh KQMQj2fXgxgckc3Ljm6UdLgZBCcVnbV7fp3y5T78M5WhPgTlGb83NGRHGGW86w5J l62dmC6kzjtzQZlEXM1wpTPSvabXBFc9e4HqUAag9TXOzY7TtuIPFkO4G9IWgV2G vIpdL55ZHpKP33Ouyb4nv5JDlwI3BKiv5CDk3u0qIYd/NR4YGIhGVjh1LCAlwa6y GPcM1odPYo20GuSb9aa1ZsqSXJccttuUrhNLOqKs1KPzpfipcWGoqH1WQKLLaCgl Qk6M0BaxUWArlnnkdBi7Opw+cZYxkfpePcJE4Xxc1HmgeWFNVLYNB7t3rCwMM5JT g1ORO/mEeXBTfv81DzN3Iert4THDwJI5qCbRwLDmW/Iaba3SbPEfFxYO2mp5PLE9 JQ2CIE2KLJCzeyxA2L12 =UwiK -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 Session Persistence disable not working as expected
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Akash, On 3/10/14, 1:03 AM, Akash Jain wrote: As documented in https://tomcat.apache.org/tomcat-5.5-doc/config/manager.html#Disable_Session_Persistence, I added the following code piece to disable session persistence in Tomcat 7. Manager pathname= / After this change I can see that SESSIONS.ser is not getting created as expected, but even after restarting tomcat, the previous JSESSIONID is still valid. Why is tomcat not invalidating the previous JSESSIONID ? What makes you think the session is still valid after a restart? Did you bind an attribute to the session, and you're still seeing it in there after a restart? What file did you modify to change the Manager configuration? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTHVd+AAoJEBzwKT+lPKRYxbYP/0Mq6Rub6u25H6jFJbdXQJa+ uEzGmP8f5B/9nMvE3vb3+yS4gJaJB+TGiIO/OaSGKwHC8HgeieX0RNEzi9fMPrBd cLtq9wZtYR04OqV/NRLEW7hxpCH9d863SkCuT7H7PWZ0+PDK70MpKsUc4z343sGM daysmp9hA1sERCkVQFTbko8TvBTw3OVeqlELhYno7+s2+AMB10b9dAemMvucZyvG NtCRByM7f6Ckil3RtBYBT1tcDjt/bKcsFMGip86aFlo5Cy89v1xBwUcx3pCvMFQv bkGoeMv8Gy/BB7ZYPv38aFQuyGkxpIe6iPLWI78y2ADjnSPQbCABEwQWrkzTeHvB Wx4GLwrQL6l6mV+IAwZI+Ys0D9WxEcTQO0LuMAG8U5acViwO377PMOsXJvWuOjkd CmI7jA7ue7kDVnGlqD+XE4rpfu9CHDYtAYpqX30hKWrnyOXja1PBC4o/s3IbhLsu 3eobBs+BPXmoo80HG8CTF7o/yZk8x7Z3QrtQXSAZcHL/8WrwIDc7OrXcR5qh44F1 z70//sCOS2hXdzMkPVqD4N/P8FulwLWZZdE8Ew4l5BSdOQPbtED+6/vjiQ/Xq4K+ /uhgPmV7/Oxd1mN2tvpH+5sjIzWtlDKD0a8MJubQ9uHPCm5DBl9uvqIIpuXSKpXU nB/AJXx1JAnaMtpJ4SGc =SBC3 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 Session Persistence disable not working as expected
Christopher, I have changed in server.xml. Below is the server.xml part - Context path= docBase=ROOT sessionCookieName=mycookie sessionCookieDomain=myapp.mydomain.com sessionCookiePath=/ useHttpOnly=true reloadable=false WatchedResourceWEB-INF/web.xml/WatchedResource Manager pathname= / !-- Disables session persistence -- /Context As indicated above, I write JSESSIONID in mycookie cookie. Even after restart, the JSESSIONID is not getting invalidated. Before and after restart of apache, I can keep browsing the site with the same JSESSIONID in cookie.
Re: Tomcat 7 Session Persistence disable not working as expected
Hi Violeta, Its latest version ( 7.0.52 ) On Sun, Mar 9, 2014 at 10:28 PM, Violeta Georgieva violet...@apache.orgwrote: Hi, На понеделник, 10 март 2014 г. Akash Jain akash.delh...@gmail.com написа: As documented in https://tomcat.apache.org/tomcat-5.5-doc/config/manager.html#Disable_Session_Persistence , I added the following code piece to disable session persistence in Tomcat 7. What is the exact version of Tomcat? The correct documentation for Tomcat 7 is [1]. Regards, Violeta [1] http://tomcat.apache.org/tomcat-7.0-doc/config/manager.html#Disable_Session_Persistence Manager pathname= / After this change I can see that SESSIONS.ser is not getting created as expected, but even after restarting tomcat, the previous JSESSIONID is still valid. Why is tomcat not invalidating the previous JSESSIONID ?