Re: Session timeout for webapps
Hi Jacques, On double checking, I found that /applications/marketing/webapp/marketing/WEB-INF/web.xml and /applications/party/webapp/partymgr/WEB-INF/web.xml files have been missed. Apart from that, I think we need to work for web.xml of various plugins also. Thanks & Regards -- Deepak Nigam HotWax Systems Pvt. Ltd On Fri, Jan 11, 2019 at 9:58 PM Jacques Le Roux < jacques.le.r...@les7arts.com> wrote: > Hi Guys, > > Done, please double-check that I have not missed a web.xml files > > Thanks > > Jacques > > Le 11/01/2019 à 11:34, Jacques Le Roux a écrit : > > Thanks Guys, > > > > I'll do this afternoon using OFBIZ-6655 > > > > Jacques > > > > Le 11/01/2019 à 07:03, Deepak Nigam a écrit : > >> Thanks, Jacques and Girish. > >> > >> Yes, it makes sense to get back to web.xml for the session timeout > value. > >> > >> On Fri, Jan 11, 2019 at 11:13 AM Girish Vasmatkar < > >> girish.vasmat...@hotwaxsystems.com> wrote: > >> > >>> Hi Jacques > >>> > >>> Yes, we should put back the session timeout declaration in web.xml. > Given > >>> the fact that we can always mix web.xml and Annotation based > configuration, > >>> it only makes sense to let web.xml decide the session timeout and even > if > >>> we have the session listener (via web.xml declaration or Annotation), > we > >>> should not programatically try to override the setting. > >>> > >>> Thanks and Regards, > >>> Girish > >>> > >>> > >>> On Thu, Jan 10, 2019 at 7:14 PM Jacques Le Roux < > >>> jacques.le.r...@les7arts.com> wrote: > >>> > Hi Deepak, Girish, > > I had a look at the issue. The specifications of Java Servlet > Specification 3.0 don't include an annotation to change the session > time > out. > > https://www.baeldung.com/servlet-session-timeout > > > >>> > https://stackoverflow.com/questions/20389833/session-timeout-config-with-no-web-xml-file > I think the best solution is to put back what we had before, ie set > it to > a value (it was 1 hour before) in all web.xml file and remove the > > session.setMaxInactiveInterval(60*60); //in seconds > > line in ControlEventListener::sessionCreated > > I thought about keeping this line if a check to null for the session > timeout value (from web.xml) was positive. > But by default Tomcat sets it to 30 min (so it's never null) and it's > possible but hard to change in OFBiz (eg to a known specific > >>> extraordinary > value > that could be checked instead of null as above) > So it could be confusing and anyway best practice is to prefer > convention > over configuration, even if in this case it's much redundant. > > I think we can reopen OFBIZ-6655 and handle it there, with an > >>> explanation. > Other ideas? > > Jacques > > Le 09/01/2019 à 10:11, Girish Vasmatkar a écrit : > > Hi Deepak > > > > By the time sessionCreated is called in an HttpSessionListener, the > session > > has already been created. I am sure if you try to get the HttpSession > from > > the HttpSessionEvent object, it will have what you defined in > > tag. > > > > But the code is overriding the timeout using setMaxInactiveInterval > to > >>> 1 > > hour that is why it is looking like web.xml is not being given > > precedence over programmatic session configuration. > > > > Whether web.xml takes precedence over annotation does not apply in > this > > case because anyway the session timeout value is being overridden by > >>> the > > code. The tomcat container definitely reads session-timeout from > >>> web.xml > > and assigns timeout for the session accordingly. But since a listener > >>> is > > configured for session lifecycle management, it invokes the method > and > > there the session value is being overridden. > > > > Try to set 2 minutes session timeout in web.xml and remove > > session.setMaxInactiveInterval(60*60). > > I would say you will be logged out after 2 minutes. If that is not > the > > case, pl let me know. > > > > I hope I understood your question and problem correctly. > > > > Best, > > Girish > > > > > > > > On Wed, Jan 9, 2019 at 1:53 PM Deepak Nigam < > >>> deepak.nigam1...@gmail.com> > > wrote: > > > >> Thanks, Jacques. > >> > >> Apart from the hardcoded thing, I am not able to override the > session > >> timeout value using tag in web.xml. > >> > >> On Tue, Jan 8, 2019 at 1:55 PM Jacques Le Roux < > >> jacques.le.r...@les7arts.com> > >> wrote: > >> > >>> Hi Deepak, > >>> > >>> You are right, it's hardcoded and should not. I have no time to go > >> further > >>> at the moment, but I'll ASAP > >>> > >>> Thanks > >>> > >>> Jacques > >>> > >>> Le 08/01/2019 à 06:10, Deepak Nigam a écrit : > Hello all, > > I
Re: Unable to set the autoLogin Cookie when mount-point is set as an empty string
Fixed with OFBIZ-10635 Mathieu, I fear you will have to update your patch, let's see... Jacques Le 11/01/2019 à 11:48, Jacques Le Roux a écrit : Hi Deepak, This works: Index: framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java === --- framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java (révision 1851027) +++ framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java (copie de travail) @@ -923,13 +923,16 @@ HttpSession session = request.getSession(); GenericValue userLogin = (GenericValue) session.getAttribute("userLogin"); ServletContext context = request.getServletContext(); - WebappInfo webappInfo = ComponentConfig.getWebappInfo((String) context.getAttribute("_serverId"), UtilHttp.getApplicationName(request)); + String applicationName = UtilHttp.getApplicationName(request); + WebappInfo webappInfo = ComponentConfig.getWebappInfo((String) context.getAttribute("_serverId"), applicationName); - if (userLogin != null && webappInfo != null && webappInfo.isAutologinCookieUsed()) { + if (userLogin != null && + (webappInfo != null && webappInfo.isAutologinCookieUsed()) + || webappInfo == null) { // When using an empty mounpoint, ie using root as mounpoint. Beware: works only for 1 webapp! Cookie autoLoginCookie = new Cookie(getAutoLoginCookieName(request), userLogin.getString("userLoginId")); autoLoginCookie.setMaxAge(60 * 60 * 24 * 365); autoLoginCookie.setDomain(EntityUtilProperties.getPropertyValue("url", "cookie.domain", delegator)); - autoLoginCookie.setPath("/" + UtilHttp.getApplicationName(request).replaceAll("/","_")); + autoLoginCookie.setPath("/" + applicationName.replaceAll("/","_")); autoLoginCookie.setSecure(true); autoLoginCookie.setHttpOnly(true); response.addCookie(autoLoginCookie); Please try it and reuse OFBIZ-10635if it's OK with you Thanks Jacques Le 11/01/2019 à 05:16, Deepak Nigam a écrit : Thank you, Jacques, for looking into it. In my case, there is only one webapp with the empty mount point and I want to use the autoLogin cookie. But the code is written in such a way that in case of empty mount point 'webappInfo' object is coming null due to which autoLogin cookie is not getting created and added in the response object. UtilHttp.getApplicationName(request) method is returning the string 'root' and ComponentConfig.getWebappInfo((String) context.getAttribute("_serverId"), UtilHttp.getApplicationName(request)) is trying to find the webapp using the mountpoint 'root' and hence unable to find it. Please refer the below code for more information: // Set an autologin cookie for the webapp if it requests it public static String autoLoginSet(HttpServletRequest request, HttpServletResponse response) { Delegator delegator = (Delegator) request.getAttribute("delegator"); HttpSession session = request.getSession(); GenericValue userLogin = (GenericValue) session.getAttribute("userLogin"); ServletContext context = request.getServletContext(); WebappInfo webappInfo = ComponentConfig.getWebappInfo((String) context.getAttribute("_serverId"), UtilHttp.getApplicationName(request)); if (userLogin != null && webappInfo != null && webappInfo.isAutologinCookieUsed()) { Cookie autoLoginCookie = new Cookie(getAutoLoginCookieName(request), userLogin.getString("userLoginId")); autoLoginCookie.setMaxAge(60 * 60 * 24 * 365); autoLoginCookie.setDomain(EntityUtilProperties.getPropertyValue("url", "cookie.domain", delegator)); autoLoginCookie.setPath("/" + UtilHttp.getApplicationName(request).replaceAll("/","_")); autoLoginCookie.setSecure(true); autoLoginCookie.setHttpOnly(true); response.addCookie(autoLoginCookie); return autoLoginCheck(delegator, session, userLogin.getString("userLoginId")); } else { return "success"; } } == public static WebappInfo getWebappInfo(String serverName, String webAppName) { WebappInfo webappInfo = null; List webappsInfo = getAppBarWebInfos(serverName); for(WebappInfo currApp : webappsInfo) { String currWebAppName = currApp.getMountPoint().replace("/", "").replace("*", ""); if (webAppName.equals(currWebAppName)) { webappInfo = currApp; break; } } return webappInfo; } = On Thu, Jan 10, 2019 at 7:31 PM Jacques Le Roux <
Re: Session timeout for webapps
Hi Guys, Done, please double-check that I have not missed a web.xml files Thanks Jacques Le 11/01/2019 à 11:34, Jacques Le Roux a écrit : Thanks Guys, I'll do this afternoon using OFBIZ-6655 Jacques Le 11/01/2019 à 07:03, Deepak Nigam a écrit : Thanks, Jacques and Girish. Yes, it makes sense to get back to web.xml for the session timeout value. On Fri, Jan 11, 2019 at 11:13 AM Girish Vasmatkar < girish.vasmat...@hotwaxsystems.com> wrote: Hi Jacques Yes, we should put back the session timeout declaration in web.xml. Given the fact that we can always mix web.xml and Annotation based configuration, it only makes sense to let web.xml decide the session timeout and even if we have the session listener (via web.xml declaration or Annotation), we should not programatically try to override the setting. Thanks and Regards, Girish On Thu, Jan 10, 2019 at 7:14 PM Jacques Le Roux < jacques.le.r...@les7arts.com> wrote: Hi Deepak, Girish, I had a look at the issue. The specifications of Java Servlet Specification 3.0 don't include an annotation to change the session time out. https://www.baeldung.com/servlet-session-timeout https://stackoverflow.com/questions/20389833/session-timeout-config-with-no-web-xml-file I think the best solution is to put back what we had before, ie set it to a value (it was 1 hour before) in all web.xml file and remove the session.setMaxInactiveInterval(60*60); //in seconds line in ControlEventListener::sessionCreated I thought about keeping this line if a check to null for the session timeout value (from web.xml) was positive. But by default Tomcat sets it to 30 min (so it's never null) and it's possible but hard to change in OFBiz (eg to a known specific extraordinary value that could be checked instead of null as above) So it could be confusing and anyway best practice is to prefer convention over configuration, even if in this case it's much redundant. I think we can reopen OFBIZ-6655 and handle it there, with an explanation. Other ideas? Jacques Le 09/01/2019 à 10:11, Girish Vasmatkar a écrit : Hi Deepak By the time sessionCreated is called in an HttpSessionListener, the session has already been created. I am sure if you try to get the HttpSession from the HttpSessionEvent object, it will have what you defined in tag. But the code is overriding the timeout using setMaxInactiveInterval to 1 hour that is why it is looking like web.xml is not being given precedence over programmatic session configuration. Whether web.xml takes precedence over annotation does not apply in this case because anyway the session timeout value is being overridden by the code. The tomcat container definitely reads session-timeout from web.xml and assigns timeout for the session accordingly. But since a listener is configured for session lifecycle management, it invokes the method and there the session value is being overridden. Try to set 2 minutes session timeout in web.xml and remove session.setMaxInactiveInterval(60*60). I would say you will be logged out after 2 minutes. If that is not the case, pl let me know. I hope I understood your question and problem correctly. Best, Girish On Wed, Jan 9, 2019 at 1:53 PM Deepak Nigam < deepak.nigam1...@gmail.com> wrote: Thanks, Jacques. Apart from the hardcoded thing, I am not able to override the session timeout value using tag in web.xml. On Tue, Jan 8, 2019 at 1:55 PM Jacques Le Roux < jacques.le.r...@les7arts.com> wrote: Hi Deepak, You are right, it's hardcoded and should not. I have no time to go further at the moment, but I'll ASAP Thanks Jacques Le 08/01/2019 à 06:10, Deepak Nigam a écrit : Hello all, I tried to set the session timeout for the 'ecommerce' and the 'webtools' components using of web.xml, but unable to do so. Session for the logged-in user remains active even after the set time. On further research, I found that we did some changes in this area in the ticket OFBIZ-6655
Re: Unable to set the autoLogin Cookie when mount-point is set as an empty string
Actually forget it, I needed that in a 1st attempt. With the patch below it's almost OK OOTB, unrelated to this issue: OFBIZ-10789 "Webpos key buttons don't show when using an empty or having a slash inside mountpoint name" So using an empty mountpoint name is OK as long as you don't use the webpos Jacques Le 11/01/2019 à 15:49, Jacques Le Roux a écrit : Forgot to say, for that to work OOTB you need to set stats.persist.visit=ftrue stats.persist.visitor=ftrue Le 11/01/2019 à 11:48, Jacques Le Roux a écrit : Hi Deepak, This works: Index: framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java === --- framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java (révision 1851027) +++ framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java (copie de travail) @@ -923,13 +923,16 @@ HttpSession session = request.getSession(); GenericValue userLogin = (GenericValue) session.getAttribute("userLogin"); ServletContext context = request.getServletContext(); - WebappInfo webappInfo = ComponentConfig.getWebappInfo((String) context.getAttribute("_serverId"), UtilHttp.getApplicationName(request)); + String applicationName = UtilHttp.getApplicationName(request); + WebappInfo webappInfo = ComponentConfig.getWebappInfo((String) context.getAttribute("_serverId"), applicationName); - if (userLogin != null && webappInfo != null && webappInfo.isAutologinCookieUsed()) { + if (userLogin != null && + (webappInfo != null && webappInfo.isAutologinCookieUsed()) + || webappInfo == null) { // When using an empty mounpoint, ie using root as mounpoint. Beware: works only for 1 webapp! Cookie autoLoginCookie = new Cookie(getAutoLoginCookieName(request), userLogin.getString("userLoginId")); autoLoginCookie.setMaxAge(60 * 60 * 24 * 365); autoLoginCookie.setDomain(EntityUtilProperties.getPropertyValue("url", "cookie.domain", delegator)); - autoLoginCookie.setPath("/" + UtilHttp.getApplicationName(request).replaceAll("/","_")); + autoLoginCookie.setPath("/" + applicationName.replaceAll("/","_")); autoLoginCookie.setSecure(true); autoLoginCookie.setHttpOnly(true); response.addCookie(autoLoginCookie); Please try it and reuse OFBIZ-10635if it's OK with you Thanks Jacques Le 11/01/2019 à 05:16, Deepak Nigam a écrit : Thank you, Jacques, for looking into it. In my case, there is only one webapp with the empty mount point and I want to use the autoLogin cookie. But the code is written in such a way that in case of empty mount point 'webappInfo' object is coming null due to which autoLogin cookie is not getting created and added in the response object. UtilHttp.getApplicationName(request) method is returning the string 'root' and ComponentConfig.getWebappInfo((String) context.getAttribute("_serverId"), UtilHttp.getApplicationName(request)) is trying to find the webapp using the mountpoint 'root' and hence unable to find it. Please refer the below code for more information: // Set an autologin cookie for the webapp if it requests it public static String autoLoginSet(HttpServletRequest request, HttpServletResponse response) { Delegator delegator = (Delegator) request.getAttribute("delegator"); HttpSession session = request.getSession(); GenericValue userLogin = (GenericValue) session.getAttribute("userLogin"); ServletContext context = request.getServletContext(); WebappInfo webappInfo = ComponentConfig.getWebappInfo((String) context.getAttribute("_serverId"), UtilHttp.getApplicationName(request)); if (userLogin != null && webappInfo != null && webappInfo.isAutologinCookieUsed()) { Cookie autoLoginCookie = new Cookie(getAutoLoginCookieName(request), userLogin.getString("userLoginId")); autoLoginCookie.setMaxAge(60 * 60 * 24 * 365); autoLoginCookie.setDomain(EntityUtilProperties.getPropertyValue("url", "cookie.domain", delegator)); autoLoginCookie.setPath("/" + UtilHttp.getApplicationName(request).replaceAll("/","_")); autoLoginCookie.setSecure(true); autoLoginCookie.setHttpOnly(true); response.addCookie(autoLoginCookie); return autoLoginCheck(delegator, session, userLogin.getString("userLoginId")); } else { return "success"; } } == public static WebappInfo getWebappInfo(String serverName, String webAppName) { WebappInfo webappInfo = null; List webappsInfo = getAppBarWebInfos(serverName); for(WebappInfo currApp : webappsInfo) { String currWebAppName =
Re: Unable to set the autoLogin Cookie when mount-point is set as an empty string
Forgot to say, for that to work OOTB you need to set stats.persist.visit=ftrue stats.persist.visitor=ftrue Le 11/01/2019 à 11:48, Jacques Le Roux a écrit : Hi Deepak, This works: Index: framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java === --- framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java (révision 1851027) +++ framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java (copie de travail) @@ -923,13 +923,16 @@ HttpSession session = request.getSession(); GenericValue userLogin = (GenericValue) session.getAttribute("userLogin"); ServletContext context = request.getServletContext(); - WebappInfo webappInfo = ComponentConfig.getWebappInfo((String) context.getAttribute("_serverId"), UtilHttp.getApplicationName(request)); + String applicationName = UtilHttp.getApplicationName(request); + WebappInfo webappInfo = ComponentConfig.getWebappInfo((String) context.getAttribute("_serverId"), applicationName); - if (userLogin != null && webappInfo != null && webappInfo.isAutologinCookieUsed()) { + if (userLogin != null && + (webappInfo != null && webappInfo.isAutologinCookieUsed()) + || webappInfo == null) { // When using an empty mounpoint, ie using root as mounpoint. Beware: works only for 1 webapp! Cookie autoLoginCookie = new Cookie(getAutoLoginCookieName(request), userLogin.getString("userLoginId")); autoLoginCookie.setMaxAge(60 * 60 * 24 * 365); autoLoginCookie.setDomain(EntityUtilProperties.getPropertyValue("url", "cookie.domain", delegator)); - autoLoginCookie.setPath("/" + UtilHttp.getApplicationName(request).replaceAll("/","_")); + autoLoginCookie.setPath("/" + applicationName.replaceAll("/","_")); autoLoginCookie.setSecure(true); autoLoginCookie.setHttpOnly(true); response.addCookie(autoLoginCookie); Please try it and reuse OFBIZ-10635if it's OK with you Thanks Jacques Le 11/01/2019 à 05:16, Deepak Nigam a écrit : Thank you, Jacques, for looking into it. In my case, there is only one webapp with the empty mount point and I want to use the autoLogin cookie. But the code is written in such a way that in case of empty mount point 'webappInfo' object is coming null due to which autoLogin cookie is not getting created and added in the response object. UtilHttp.getApplicationName(request) method is returning the string 'root' and ComponentConfig.getWebappInfo((String) context.getAttribute("_serverId"), UtilHttp.getApplicationName(request)) is trying to find the webapp using the mountpoint 'root' and hence unable to find it. Please refer the below code for more information: // Set an autologin cookie for the webapp if it requests it public static String autoLoginSet(HttpServletRequest request, HttpServletResponse response) { Delegator delegator = (Delegator) request.getAttribute("delegator"); HttpSession session = request.getSession(); GenericValue userLogin = (GenericValue) session.getAttribute("userLogin"); ServletContext context = request.getServletContext(); WebappInfo webappInfo = ComponentConfig.getWebappInfo((String) context.getAttribute("_serverId"), UtilHttp.getApplicationName(request)); if (userLogin != null && webappInfo != null && webappInfo.isAutologinCookieUsed()) { Cookie autoLoginCookie = new Cookie(getAutoLoginCookieName(request), userLogin.getString("userLoginId")); autoLoginCookie.setMaxAge(60 * 60 * 24 * 365); autoLoginCookie.setDomain(EntityUtilProperties.getPropertyValue("url", "cookie.domain", delegator)); autoLoginCookie.setPath("/" + UtilHttp.getApplicationName(request).replaceAll("/","_")); autoLoginCookie.setSecure(true); autoLoginCookie.setHttpOnly(true); response.addCookie(autoLoginCookie); return autoLoginCheck(delegator, session, userLogin.getString("userLoginId")); } else { return "success"; } } == public static WebappInfo getWebappInfo(String serverName, String webAppName) { WebappInfo webappInfo = null; List webappsInfo = getAppBarWebInfos(serverName); for(WebappInfo currApp : webappsInfo) { String currWebAppName = currApp.getMountPoint().replace("/", "").replace("*", ""); if (webAppName.equals(currWebAppName)) { webappInfo = currApp; break; } } return webappInfo; } = On Thu, Jan 10, 2019 at 7:31 PM Jacques
Re: Unable to set the autoLogin Cookie when mount-point is set as an empty string
Hi Deepak, This works: Index: framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java === --- framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java (révision 1851027) +++ framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java (copie de travail) @@ -923,13 +923,16 @@ HttpSession session = request.getSession(); GenericValue userLogin = (GenericValue) session.getAttribute("userLogin"); ServletContext context = request.getServletContext(); - WebappInfo webappInfo = ComponentConfig.getWebappInfo((String) context.getAttribute("_serverId"), UtilHttp.getApplicationName(request)); + String applicationName = UtilHttp.getApplicationName(request); + WebappInfo webappInfo = ComponentConfig.getWebappInfo((String) context.getAttribute("_serverId"), applicationName); - if (userLogin != null && webappInfo != null && webappInfo.isAutologinCookieUsed()) { + if (userLogin != null && + (webappInfo != null && webappInfo.isAutologinCookieUsed()) + || webappInfo == null) { // When using an empty mounpoint, ie using root as mounpoint. Beware: works only for 1 webapp! Cookie autoLoginCookie = new Cookie(getAutoLoginCookieName(request), userLogin.getString("userLoginId")); autoLoginCookie.setMaxAge(60 * 60 * 24 * 365); autoLoginCookie.setDomain(EntityUtilProperties.getPropertyValue("url", "cookie.domain", delegator)); - autoLoginCookie.setPath("/" + UtilHttp.getApplicationName(request).replaceAll("/","_")); + autoLoginCookie.setPath("/" + applicationName.replaceAll("/","_")); autoLoginCookie.setSecure(true); autoLoginCookie.setHttpOnly(true); response.addCookie(autoLoginCookie); Please try it and reuse OFBIZ-10635if it's OK with you Thanks Jacques Le 11/01/2019 à 05:16, Deepak Nigam a écrit : Thank you, Jacques, for looking into it. In my case, there is only one webapp with the empty mount point and I want to use the autoLogin cookie. But the code is written in such a way that in case of empty mount point 'webappInfo' object is coming null due to which autoLogin cookie is not getting created and added in the response object. UtilHttp.getApplicationName(request) method is returning the string 'root' and ComponentConfig.getWebappInfo((String) context.getAttribute("_serverId"), UtilHttp.getApplicationName(request)) is trying to find the webapp using the mountpoint 'root' and hence unable to find it. Please refer the below code for more information: // Set an autologin cookie for the webapp if it requests it public static String autoLoginSet(HttpServletRequest request, HttpServletResponse response) { Delegator delegator = (Delegator) request.getAttribute("delegator"); HttpSession session = request.getSession(); GenericValue userLogin = (GenericValue) session.getAttribute("userLogin"); ServletContext context = request.getServletContext(); WebappInfo webappInfo = ComponentConfig.getWebappInfo((String) context.getAttribute("_serverId"), UtilHttp.getApplicationName(request)); if (userLogin != null && webappInfo != null && webappInfo.isAutologinCookieUsed()) { Cookie autoLoginCookie = new Cookie(getAutoLoginCookieName(request), userLogin.getString("userLoginId")); autoLoginCookie.setMaxAge(60 * 60 * 24 * 365); autoLoginCookie.setDomain(EntityUtilProperties.getPropertyValue("url", "cookie.domain", delegator)); autoLoginCookie.setPath("/" + UtilHttp.getApplicationName(request).replaceAll("/","_")); autoLoginCookie.setSecure(true); autoLoginCookie.setHttpOnly(true); response.addCookie(autoLoginCookie); return autoLoginCheck(delegator, session, userLogin.getString("userLoginId")); } else { return "success"; } } == public static WebappInfo getWebappInfo(String serverName, String webAppName) { WebappInfo webappInfo = null; List webappsInfo = getAppBarWebInfos(serverName); for(WebappInfo currApp : webappsInfo) { String currWebAppName = currApp.getMountPoint().replace("/", "").replace("*", ""); if (webAppName.equals(currWebAppName)) { webappInfo = currApp; break; } } return webappInfo; } = On Thu, Jan 10, 2019 at 7:31 PM Jacques Le Roux < jacques.le.r...@les7arts.com> wrote: Hi Deepak, It's not a problem if we create an autologin cookie even if it's not used, just unclean.
Re: Session timeout for webapps
Thanks Guys, I'll do this afternoon using OFBIZ-6655 Jacques Le 11/01/2019 à 07:03, Deepak Nigam a écrit : Thanks, Jacques and Girish. Yes, it makes sense to get back to web.xml for the session timeout value. On Fri, Jan 11, 2019 at 11:13 AM Girish Vasmatkar < girish.vasmat...@hotwaxsystems.com> wrote: Hi Jacques Yes, we should put back the session timeout declaration in web.xml. Given the fact that we can always mix web.xml and Annotation based configuration, it only makes sense to let web.xml decide the session timeout and even if we have the session listener (via web.xml declaration or Annotation), we should not programatically try to override the setting. Thanks and Regards, Girish On Thu, Jan 10, 2019 at 7:14 PM Jacques Le Roux < jacques.le.r...@les7arts.com> wrote: Hi Deepak, Girish, I had a look at the issue. The specifications of Java Servlet Specification 3.0 don't include an annotation to change the session time out. https://www.baeldung.com/servlet-session-timeout https://stackoverflow.com/questions/20389833/session-timeout-config-with-no-web-xml-file I think the best solution is to put back what we had before, ie set it to a value (it was 1 hour before) in all web.xml file and remove the session.setMaxInactiveInterval(60*60); //in seconds line in ControlEventListener::sessionCreated I thought about keeping this line if a check to null for the session timeout value (from web.xml) was positive. But by default Tomcat sets it to 30 min (so it's never null) and it's possible but hard to change in OFBiz (eg to a known specific extraordinary value that could be checked instead of null as above) So it could be confusing and anyway best practice is to prefer convention over configuration, even if in this case it's much redundant. I think we can reopen OFBIZ-6655 and handle it there, with an explanation. Other ideas? Jacques Le 09/01/2019 à 10:11, Girish Vasmatkar a écrit : Hi Deepak By the time sessionCreated is called in an HttpSessionListener, the session has already been created. I am sure if you try to get the HttpSession from the HttpSessionEvent object, it will have what you defined in tag. But the code is overriding the timeout using setMaxInactiveInterval to 1 hour that is why it is looking like web.xml is not being given precedence over programmatic session configuration. Whether web.xml takes precedence over annotation does not apply in this case because anyway the session timeout value is being overridden by the code. The tomcat container definitely reads session-timeout from web.xml and assigns timeout for the session accordingly. But since a listener is configured for session lifecycle management, it invokes the method and there the session value is being overridden. Try to set 2 minutes session timeout in web.xml and remove session.setMaxInactiveInterval(60*60). I would say you will be logged out after 2 minutes. If that is not the case, pl let me know. I hope I understood your question and problem correctly. Best, Girish On Wed, Jan 9, 2019 at 1:53 PM Deepak Nigam < deepak.nigam1...@gmail.com> wrote: Thanks, Jacques. Apart from the hardcoded thing, I am not able to override the session timeout value using tag in web.xml. On Tue, Jan 8, 2019 at 1:55 PM Jacques Le Roux < jacques.le.r...@les7arts.com> wrote: Hi Deepak, You are right, it's hardcoded and should not. I have no time to go further at the moment, but I'll ASAP Thanks Jacques Le 08/01/2019 à 06:10, Deepak Nigam a écrit : Hello all, I tried to set the session timeout for the 'ecommerce' and the 'webtools' components using of web.xml, but unable to do so. Session for the logged-in user remains active even after the set time. On further research, I found that we did some changes in this area in the ticket OFBIZ-6655