Re: Session Timeout - Filter Not Called
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Paul, On 4/22/2010 5:24 PM, Paul Carroll wrote: > Yes. I put the session marker in my filter and I perform a simple > check each time through the filter to determine if the marker exists > and to check if it equals the current session id. Okay, so what's the problem? As Pid says, the session id isn't a good thing to use. Why not just set your attribute to Boolean.TRUE? The value doesn't actually matter... it's only important that it's been set to /something/. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvRyf8ACgkQ9CaO5/Lv0PAxKACfQlqzaDX2WwpDb+qGAnSTqwZD a5oAn0SwNNkndH3oHbWHa+EtsVI54ujW =de9D -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Session Timeout - Filter Not Called
On 22/04/2010 22:24, Paul Carroll wrote: > Yes. I put the session marker in my filter and I perform a simple check each > time through the filter to determine if the marker exists and to check if it > equals the current session id. The session id itself may change during login, so I'm not sure if you should rely on this. Since Tomcat 6.0.21 http://issues.apache.org/bugzilla/show_bug.cgi?id=45255 p > Thanks. > > --- ch...@christopherschultz.net wrote: > > From: Christopher Schultz > To: Tomcat Users List > Subject: Re: Session Timeout - Filter Not Called > Date: Thu, 22 Apr 2010 16:45:10 -0400 > > Paul, > > On 4/22/2010 2:44 PM, Paul Carroll wrote: >> I guess what I really need to be able to do is determine when a user creates >> a new session. This could either be done by the user opening the browser >> and browse to our application where the user logs in and the new session is >> created. Or the user's session times out and the user is presented with our >> login page and the user will login and a new session is created. > > I think Bob's suggestion that you use a session marker variable will > take care of this for you, no? > > >> --- rfha...@yahoo.com wrote: > >> From: Bob Hall >> To: Tomcat Users List >> Subject: Re: Session Timeout - Filter Not Called >> Date: Mon, 12 Apr 2010 23:58:45 -0700 (PDT) > >> Paul, > >> --- On Mon, 4/12/10 at 7:21 AM, Paul Carroll wrote: > >>> That works in that my filter is >>> called when the session times out and the user is redirected >>> to the login page. However, the Referer header makes >>> no indication that the user is logging in. > >> What does the referrer header contain? > >>> If the request URI is not null, then I can redirect them to the requested >>> URI if it has been determined that it is a "safe" area that >>> does not need any session variables established. Is >>> there a way to determine if the user's session has timed out >>> and the user is logging in once again? > >> Check for the session variables that would have been set? > >> - Bob > > > > >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org > > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org signature.asc Description: OpenPGP digital signature
Re: Session Timeout - Filter Not Called
Yes. I put the session marker in my filter and I perform a simple check each time through the filter to determine if the marker exists and to check if it equals the current session id. Thanks. --- ch...@christopherschultz.net wrote: From: Christopher Schultz To: Tomcat Users List Subject: Re: Session Timeout - Filter Not Called Date: Thu, 22 Apr 2010 16:45:10 -0400 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Paul, On 4/22/2010 2:44 PM, Paul Carroll wrote: > I guess what I really need to be able to do is determine when a user creates > a new session. This could either be done by the user opening the browser and > browse to our application where the user logs in and the new session is > created. Or the user's session times out and the user is presented with our > login page and the user will login and a new session is created. I think Bob's suggestion that you use a session marker variable will take care of this for you, no? > > --- rfha...@yahoo.com wrote: > > From: Bob Hall > To: Tomcat Users List > Subject: Re: Session Timeout - Filter Not Called > Date: Mon, 12 Apr 2010 23:58:45 -0700 (PDT) > > Paul, > > --- On Mon, 4/12/10 at 7:21 AM, Paul Carroll wrote: > >> That works in that my filter is >> called when the session times out and the user is redirected >> to the login page. However, the Referer header makes >> no indication that the user is logging in. > > What does the referrer header contain? > >> If the request URI is not null, then I can redirect them to the requested >> URI if it has been determined that it is a "safe" area that >> does not need any session variables established. Is >> there a way to determine if the user's session has timed out >> and the user is logging in once again? > > Check for the session variables that would have been set? > > - Bob > > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvQtVYACgkQ9CaO5/Lv0PB3lQCfZVO1HEaBGdeIQpsKb3ebkLp5 eUIAn1DndzYGedUzYnapHgKi5DOasGpz =NbBJ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Session Timeout - Filter Not Called
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Paul, On 4/22/2010 2:44 PM, Paul Carroll wrote: > I guess what I really need to be able to do is determine when a user creates > a new session. This could either be done by the user opening the browser and > browse to our application where the user logs in and the new session is > created. Or the user's session times out and the user is presented with our > login page and the user will login and a new session is created. I think Bob's suggestion that you use a session marker variable will take care of this for you, no? > > --- rfha...@yahoo.com wrote: > > From: Bob Hall > To: Tomcat Users List > Subject: Re: Session Timeout - Filter Not Called > Date: Mon, 12 Apr 2010 23:58:45 -0700 (PDT) > > Paul, > > --- On Mon, 4/12/10 at 7:21 AM, Paul Carroll wrote: > >> That works in that my filter is >> called when the session times out and the user is redirected >> to the login page. However, the Referer header makes >> no indication that the user is logging in. > > What does the referrer header contain? > >> If the request URI is not null, then I can redirect them to the requested >> URI if it has been determined that it is a "safe" area that >> does not need any session variables established. Is >> there a way to determine if the user's session has timed out >> and the user is logging in once again? > > Check for the session variables that would have been set? > > - Bob > > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvQtVYACgkQ9CaO5/Lv0PB3lQCfZVO1HEaBGdeIQpsKb3ebkLp5 eUIAn1DndzYGedUzYnapHgKi5DOasGpz =NbBJ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Session Timeout - Filter Not Called
I guess what I really need to be able to do is determine when a user creates a new session. This could either be done by the user opening the browser and browse to our application where the user logs in and the new session is created. Or the user's session times out and the user is presented with our login page and the user will login and a new session is created. --- rfha...@yahoo.com wrote: From: Bob Hall To: Tomcat Users List Subject: Re: Session Timeout - Filter Not Called Date: Mon, 12 Apr 2010 23:58:45 -0700 (PDT) Paul, --- On Mon, 4/12/10 at 7:21 AM, Paul Carroll wrote: > That works in that my filter is > called when the session times out and the user is redirected > to the login page. However, the Referer header makes > no indication that the user is logging in. What does the referrer header contain? > If the request URI is not null, then I can redirect them to the requested > URI if it has been determined that it is a "safe" area that > does not need any session variables established. Is > there a way to determine if the user's session has timed out > and the user is logging in once again? Check for the session variables that would have been set? - Bob - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Session Timeout - Filter Not Called
Paul, --- On Mon, 4/12/10 at 7:21 AM, Paul Carroll wrote: > That works in that my filter is > called when the session times out and the user is redirected > to the login page. However, the Referer header makes > no indication that the user is logging in. What does the referrer header contain? > If the request URI is not null, then I can redirect them to the requested > URI if it has been determined that it is a "safe" area that > does not need any session variables established. Is > there a way to determine if the user's session has timed out > and the user is logging in once again? Check for the session variables that would have been set? - Bob - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Session Timeout - Filter Not Called
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Paul, On 4/11/2010 7:11 PM, Paul Carroll wrote: > I am using Tomcat 6.0 on Windows Server 2003. It seems that when my > session expires I am redirected to the login page which I would > expect. However, my filter is not called when I am redirected to the > login page. When I used Jetty as my web server, the call was > intercepted by the filter before the user was presented the login > page. Does anyone know why this is the case? The following is the > sections of my web.xml that contains the filter info. Valves are called before filters, and Tomcat's authentication and authorization are implemented as Valves. I don't believe you can have your filter run before the auth Valve. If you need your filter to run first, you can use a filter-based implementation of authentication/authorization such as securityfilter (http://securityfilter.sourceforge.net). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvDQb0ACgkQ9CaO5/Lv0PBilQCfad+n775Jion08oe0qpKfPxew vWIAn0CtKOSgmMpW0V3JbrF/MncD3Fqj =bPkC -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Session Timeout - Filter Not Called
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Paul, On 4/11/2010 7:11 PM, Paul Carroll wrote: > I am using Tomcat 6.0 on Windows Server 2003. It seems that when my > session expires I am redirected to the login page which I would > expect. However, my filter is not called when I am redirected to the > login page. When I used Jetty as my web server, the call was > intercepted by the filter before the user was presented the login > page. Does anyone know why this is the case? The following is the > sections of my web.xml that contains the filter info. Valves are called before filters, and Tomcat's authentication and authorization are implemented as Valves. I don't believe you can have your filter run before the auth Valve. If you need your filter to run first, you can use a filter-based implementation of authentication/authorization such as securityfilter (http://securityfilter.sourceforge.net). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvDQb0ACgkQ9CaO5/Lv0PBilQCfad+n775Jion08oe0qpKfPxew vWIAn0CtKOSgmMpW0V3JbrF/MncD3Fqj =bPkC -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Session Timeout - Filter Not Called
That works in that my filter is called when the session times out and the user is redirected to the login page. However, the Referer header makes no indication that the user is logging in. In Jetty, the Referer header would be "/login.do". This would indicate that the user is logging in. If the request URI is not null, then I can redirect them to the requested URI if it has been determined that it is a "safe" area that does not need any session variables established. Is there a way to determine if the user's session has timed out and the user is logging in once again? --- rfha...@yahoo.com wrote: From: Bob Hall To: Tomcat Users List Subject: Re: Session Timeout - Filter Not Called Date: Sun, 11 Apr 2010 22:52:37 -0700 (PDT) Paul, --- On Sun, 4/11/10, Paul Carroll wrote: > I am using Tomcat 6.0 on Windows > Server 2003. It seems that when my session expires I > am redirected to the login page which I would expect. > However, my filter is not called when I am redirected to the > login page. When I used Jetty as my web server, the > call was intercepted by the filter before the user was > presented the login page. Does anyone know why this is > the case? The following is the sections of my web.xml > that contains the filter info. > > > SessionTimeoutFilter > com.mycompany.ui.filters.SessionTimeoutFilter > > home > /home.do > > > > > SessionTimeoutFilter > action > > > > action > com.mycompany.ui.web.ActionServlet > > config > > > > > action > *.do > > > > My index.jsp contains 1 line which redirects to home.do. > Your filter is mapped to action which is mapped to *.do Don't know about Jetty, but you will probably get the behavior you expect if you change the element to use: /* (and remove ) - Bob - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Session Timeout - Filter Not Called
Paul, --- On Sun, 4/11/10, Paul Carroll wrote: > I am using Tomcat 6.0 on Windows > Server 2003. It seems that when my session expires I > am redirected to the login page which I would expect. > However, my filter is not called when I am redirected to the > login page. When I used Jetty as my web server, the > call was intercepted by the filter before the user was > presented the login page. Does anyone know why this is > the case? The following is the sections of my web.xml > that contains the filter info. > > > SessionTimeoutFilter > com.mycompany.ui.filters.SessionTimeoutFilter > > home > /home.do > > > > > SessionTimeoutFilter > action > > > > action > com.mycompany.ui.web.ActionServlet > > config > > > > > action > *.do > > > > My index.jsp contains 1 line which redirects to home.do. > Your filter is mapped to action which is mapped to *.do Don't know about Jetty, but you will probably get the behavior you expect if you change the element to use: /* (and remove ) - Bob - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Session Timeout - Filter Not Called
I am using Tomcat 6.0 on Windows Server 2003. It seems that when my session expires I am redirected to the login page which I would expect. However, my filter is not called when I am redirected to the login page. When I used Jetty as my web server, the call was intercepted by the filter before the user was presented the login page. Does anyone know why this is the case? The following is the sections of my web.xml that contains the filter info. SessionTimeoutFilter com.mycompany.ui.filters.SessionTimeoutFilter home /home.do SessionTimeoutFilter action action com.mycompany.ui.web.ActionServlet config /WEB-INF/struts-config.xml debug 0 detail 0 maxFileSize 250M 0 action *.do action com.mycompany.ui.web.ActionServlet config /WEB-INF/struts-config.xml debug 0 detail 0 maxFileSize 250M 2 action *.do /index.jsp /index.htm /index.html FORM mycompany /login.jsp /loginError.do My index.jsp contains 1 line which redirects to home.do. Thanks. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org