Re: Session Timeouts and SSO
Thanks, Tim. I kind of remember reading that now. I need to look at my application more carefully, to determine what is timing out. G. Wade Tim Funk wrote: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/config/host.html#Single%20Sign%20On As soon as the user logs out of one web application (for example, by invalidating or timing out the corresponding session if form based login is used), the user's sessions in all web applications will be invalidated. Any subsequent attempt to access a protected resource in any application will require the user to authenticate himself or herself again. -Tim G. Wade Johnson wrote: Thanks again for all of the responses so far on my Timeout issue. I still have a problem, but it is not what I thought it was. Apparently, there is a session-timeout/ set to 30 minutes in the $CATALINA_HOME/conf/web.xml that I have. I don't recall changing this (but I won't rule out the possibility). I modified that, and found that I could get the session to expire at the time I specify. This time, I looked at the cookies that were sent back just before I get the login screen and found that Tomcat is sending a request to delete the JSESSIONIDSSO cookie used by the SingleSignon valve. Apparently, it is this valve and not Tomcat proper that is signing me out after the timeout period. Is this expected behavior? Is there any way for me to work around this behavior? Thanks again, G. Wade - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Session timeouts
I've added to the following line to my server.xml to try and increase timeouts for the webapp 'matt' but it doesn't appear to have any effect. Am I missing something? Context path=/matt docBase=matt defaultSessionTimeOut=120/ I also found no effect. I always set it in the top line of the service part of the jsp with: request.getSession().setMaxInactiveInterval(Utilities.TIMEOUT_SECONDS); Utilities being my own class of course. J. -- You're only jealous cos the little penguins are talking to me. *** For more information on Ordnance Survey products and services, visit our web site at http://www.ordnancesurvey.co.uk *** -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: Session timeouts
I want to set the session timeout for a web app. In the example web.xml it says that the the value is is seconds, but in book I have about Tomcat 4 it says that it's in minutes. It's minutes. It is set to a default in the xml configuration file, but can also be set in the jsp (find the call yourself!). For me, it only seems to work if set in the jsp :-( J. -- You're only jealous cos the little penguins are talking to me. *** For more information on Ordnance Survey products and services, visit our web site at http://www.ordnancesurvey.co.uk *** -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: Session timeouts
Chad,
I am doing something very similar...
Are you implementing the HttpSessionBindingListener interface in your
object? If not, try implementing this interface in your object that is
placed in the session. This will throw a 'valueBound' event when the object
is placed in the session and a 'valueUnbound' event when removed (either
explicitly or by timeout). The valueBound method will increment the count,
and the valueUnbound method will decrement it. Works perfectly for me.
Also, you might want to use session.invalidate() rather than explicitly
removing the session objects-- I found it was easier to manage.
HTH,
Mike
-Original Message-
From: Chad LaJoie [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 10, 2001 10:25 AM
To: [EMAIL PROTECTED]
Subject: Session timeouts
I have been experiencing some problems with sessions timeouts. It
seems that they are not unbinding all my sessions attributes. For
instance. I have a session tracker object that gets bound to a user's
session when they log in. This simply adds 1 to an application level
attribute indicating the number of people who are currently logged
in. When the user's logs out I call session.removeAttribute("tracker");
explicitly and the attribute is unbound. This decrements the application
attribute by 1. This all works fine. However if the session actually
time's out the tracker object doesn't seem to be unbound. I.e. my little
session tracker program still show the user as loged in.
Has anyone else encountered this problem, and if so is there a
solution for it?
Env:
Tomcat 3.2.1
Sun JDK 1.3.0_1
Apache 1.3.19
Solaris 8
Chad La Joie "Only a man who can not conquer
IT Specialist his deficiencies feels the need to
ISC - WARD convince the world he has none"
Mike Bryant (E-mail).vcf
RE: Session timeouts
Yep, I do implement HttpSessionBindingListener and no I can't call
invalidate because I depend on other objects bound to the session within my
session tracker and invalidate does not define the order at which it will
unbind objects. Therefore I need to do an explicit removeAttribute call so
that I am assured the rest of the objects I need are still within the session.
For reference here is my code
import java.util.*;
import javax.servlet.*;
import javax.servlet.http.*;
import edu.vt.ward.lexus.portal.User.*;
public class SessionTracker implements HttpSessionBindingListener{
private String userPid;
private ServletContext context;
private Hashtable currentSessions;
public SessionTracker (ServletContext ctx){
context = ctx;
}
public void valueBound(HttpSessionBindingEvent event) {
HttpSession session = event.getSession();
User user = (User) session.getAttribute("user");
userPid = user.getPid();
String totalLogins;
if(context.getAttribute("currentSessions") == null){
currentSessions = new Hashtable();
Date uptime = new Date(System.currentTimeMillis());
context.setAttribute("uptime", uptime);
totalLogins = "0";
}else{
currentSessions = (Hashtable)
context.getAttribute("currentSessions");
totalLogins = (String)
context.getAttribute("totalLogins");
}
Date creationTime = new Date(session.getCreationTime());
currentSessions.put(userPid, creationTime);
context.setAttribute("currentSessions", currentSessions);
int logins = Integer.parseInt(totalLogins) + 1;
totalLogins = Integer.toString(logins);
context.setAttribute("totalLogins", totalLogins);
}
public void valueUnbound(HttpSessionBindingEvent event) {
HttpSession session = event.getSession();
User user = (User) session.getAttribute("user");
userPid = user.getPid();
Hashtable currentSession = (Hashtable)
context.getAttribute("currentSessions");
currentSessions.remove(userPid);
context.setAttribute("currentSessions", currentSessions);
}
}
At 10:37 AM 4/10/2001, you wrote:
Chad,
I am doing something very similar...
Are you implementing the HttpSessionBindingListener interface in your
object? If not, try implementing this interface in your object that is
placed in the session. This will throw a 'valueBound' event when the object
is placed in the session and a 'valueUnbound' event when removed (either
explicitly or by timeout). The valueBound method will increment the count,
and the valueUnbound method will decrement it. Works perfectly for me.
Also, you might want to use session.invalidate() rather than explicitly
removing the session objects-- I found it was easier to manage.
HTH,
Mike
-Original Message-
From: Chad LaJoie [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 10, 2001 10:25 AM
To: [EMAIL PROTECTED]
Subject: Session timeouts
I have been experiencing some problems with sessions timeouts. It
seems that they are not unbinding all my sessions attributes. For
instance. I have a session tracker object that gets bound to a user's
session when they log in. This simply adds 1 to an application level
attribute indicating the number of people who are currently logged
in. When the user's logs out I call session.removeAttribute("tracker");
explicitly and the attribute is unbound. This decrements the application
attribute by 1. This all works fine. However if the session actually
time's out the tracker object doesn't seem to be unbound. I.e. my little
session tracker program still show the user as loged in.
Has anyone else encountered this problem, and if so is there a
solution for it?
Env:
Tomcat 3.2.1
Sun JDK 1.3.0_1
Apache 1.3.19
Solaris 8
Chad La Joie "Only a man who can not conquer
IT Specialist his deficiencies feels the need to
ISC - WARD convince the world he has none"
Chad La Joie "Only a man who can not conquer
IT Specialist his deficiencies feels the need to
ISC - WARD convince the world he has none"
RE: Session timeouts
You could track the ValueBound event, and at binding time, make local
references to the session objects you are interested in. Then when you are
unbound, you do not need to worry about the order, since you have a local
reference and can still get/change information on it.
-Original Message-
From: Chad LaJoie [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 10, 2001 11:54 AM
To: [EMAIL PROTECTED]
Subject: RE: Session timeouts
Yep, I do implement HttpSessionBindingListener and no I can't call
invalidate because I depend on other objects bound to the session within my
session tracker and invalidate does not define the order at which it will
unbind objects. Therefore I need to do an explicit removeAttribute call so
that I am assured the rest of the objects I need are still within the
session.
For reference here is my code
import java.util.*;
import javax.servlet.*;
import javax.servlet.http.*;
import edu.vt.ward.lexus.portal.User.*;
public class SessionTracker implements HttpSessionBindingListener{
private String userPid;
private ServletContext context;
private Hashtable currentSessions;
public SessionTracker (ServletContext ctx){
context = ctx;
}
public void valueBound(HttpSessionBindingEvent event) {
HttpSession session = event.getSession();
User user = (User) session.getAttribute("user");
userPid = user.getPid();
String totalLogins;
if(context.getAttribute("currentSessions") == null){
currentSessions = new Hashtable();
Date uptime = new Date(System.currentTimeMillis());
context.setAttribute("uptime", uptime);
totalLogins = "0";
}else{
currentSessions = (Hashtable)
context.getAttribute("currentSessions");
totalLogins = (String)
context.getAttribute("totalLogins");
}
Date creationTime = new Date(session.getCreationTime());
currentSessions.put(userPid, creationTime);
context.setAttribute("currentSessions", currentSessions);
int logins = Integer.parseInt(totalLogins) + 1;
totalLogins = Integer.toString(logins);
context.setAttribute("totalLogins", totalLogins);
}
public void valueUnbound(HttpSessionBindingEvent event) {
HttpSession session = event.getSession();
User user = (User) session.getAttribute("user");
userPid = user.getPid();
Hashtable currentSession = (Hashtable)
context.getAttribute("currentSessions");
currentSessions.remove(userPid);
context.setAttribute("currentSessions", currentSessions);
}
}
At 10:37 AM 4/10/2001, you wrote:
Chad,
I am doing something very similar...
Are you implementing the HttpSessionBindingListener interface in your
object? If not, try implementing this interface in your object that is
placed in the session. This will throw a 'valueBound' event when the
object
is placed in the session and a 'valueUnbound' event when removed (either
explicitly or by timeout). The valueBound method will increment the count,
and the valueUnbound method will decrement it. Works perfectly for me.
Also, you might want to use session.invalidate() rather than explicitly
removing the session objects-- I found it was easier to manage.
HTH,
Mike
-Original Message-
From: Chad LaJoie [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 10, 2001 10:25 AM
To: [EMAIL PROTECTED]
Subject: Session timeouts
I have been experiencing some problems with sessions timeouts.
It
seems that they are not unbinding all my sessions attributes. For
instance. I have a session tracker object that gets bound to a user's
session when they log in. This simply adds 1 to an application level
attribute indicating the number of people who are currently logged
in. When the user's logs out I call session.removeAttribute("tracker");
explicitly and the attribute is unbound. This decrements the application
attribute by 1. This all works fine. However if the session actually
time's out the tracker object doesn't seem to be unbound. I.e. my little
session tracker program still show the user as loged in.
Has anyone else encountered this problem, and if so is there a
solution for it?
Env:
Tomcat 3.2.1
Sun JDK 1.3.0_1
Apache 1.3.19
Solaris 8
Chad La Joie "Only a man who can not conquer
IT Specialist his deficiencies feels the need
to
ISC - WARD
