Re: Session Timeout - Filter Not Called

2010-04-23 Thread Pid
On 22/04/2010 22:24, Paul Carroll wrote:
 Yes.  I put the session marker in my filter and I perform a simple check each 
 time through the filter to determine if the marker exists and to check if it 
 equals the current session id.

The session id itself may change during login, so I'm not sure if you
should rely on this.  Since Tomcat 6.0.21

 http://issues.apache.org/bugzilla/show_bug.cgi?id=45255


p

 Thanks.
 
 --- ch...@christopherschultz.net wrote:
 
 From: Christopher Schultz ch...@christopherschultz.net
 To: Tomcat Users List users@tomcat.apache.org
 Subject: Re: Session Timeout - Filter Not Called
 Date: Thu, 22 Apr 2010 16:45:10 -0400
 
 Paul,
 
 On 4/22/2010 2:44 PM, Paul Carroll wrote:
 I guess what I really need to be able to do is determine when a user creates 
 a new session.  This could either be done by the user opening the browser 
 and browse to our application where the user logs in and the new session is 
 created.  Or the user's session times out and the user is presented with our 
 login page and the user will login and a new session is created.
 
 I think Bob's suggestion that you use a session marker variable will
 take care of this for you, no?
 
 
 --- rfha...@yahoo.com wrote:
 
 From: Bob Hall rfha...@yahoo.com
 To: Tomcat Users List users@tomcat.apache.org
 Subject: Re: Session Timeout - Filter Not Called
 Date: Mon, 12 Apr 2010 23:58:45 -0700 (PDT)
 
 Paul,
 
 --- On Mon, 4/12/10 at 7:21 AM, Paul Carroll pcarr...@nfmail.net wrote:
 
 That works in that my filter is
 called when the session times out and the user is redirected
 to the login page.  However, the Referer header makes
 no indication that the user is logging in.
 
 What does the referrer header contain?
 
 If the request URI is not null, then I can redirect them to the requested
 URI if it has been determined that it is a safe area that
 does not need any session variables established.  Is
 there a way to determine if the user's session has timed out
 and the user is logging in once again?
 
 Check for the session variables that would have been set?
 
 - Bob
 
 
 
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
 
 

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





signature.asc
Description: OpenPGP digital signature


Re: Session Timeout - Filter Not Called

2010-04-23 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Paul,

On 4/22/2010 5:24 PM, Paul Carroll wrote:
 Yes.  I put the session marker in my filter and I perform a simple
 check each time through the filter to determine if the marker exists
 and to check if it equals the current session id.

Okay, so what's the problem?

As Pid says, the session id isn't a good thing to use. Why not just set
your attribute to Boolean.TRUE? The value doesn't actually matter...
it's only important that it's been set to /something/.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkvRyf8ACgkQ9CaO5/Lv0PAxKACfQlqzaDX2WwpDb+qGAnSTqwZD
a5oAn0SwNNkndH3oHbWHa+EtsVI54ujW
=de9D
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Session Timeout - Filter Not Called

2010-04-22 Thread Paul Carroll
I guess what I really need to be able to do is determine when a user creates a 
new session.  This could either be done by the user opening the browser and 
browse to our application where the user logs in and the new session is 
created.  Or the user's session times out and the user is presented with our 
login page and the user will login and a new session is created.

--- rfha...@yahoo.com wrote:

From: Bob Hall rfha...@yahoo.com
To: Tomcat Users List users@tomcat.apache.org
Subject: Re: Session Timeout - Filter Not Called
Date: Mon, 12 Apr 2010 23:58:45 -0700 (PDT)

Paul,

--- On Mon, 4/12/10 at 7:21 AM, Paul Carroll pcarr...@nfmail.net wrote:

 That works in that my filter is
 called when the session times out and the user is redirected
 to the login page.  However, the Referer header makes
 no indication that the user is logging in.

What does the referrer header contain?

 If the request URI is not null, then I can redirect them to the requested
 URI if it has been determined that it is a safe area that
 does not need any session variables established.  Is
 there a way to determine if the user's session has timed out
 and the user is logging in once again?

Check for the session variables that would have been set?

- Bob




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





Re: Session Timeout - Filter Not Called

2010-04-22 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Paul,

On 4/22/2010 2:44 PM, Paul Carroll wrote:
 I guess what I really need to be able to do is determine when a user creates 
 a new session.  This could either be done by the user opening the browser and 
 browse to our application where the user logs in and the new session is 
 created.  Or the user's session times out and the user is presented with our 
 login page and the user will login and a new session is created.

I think Bob's suggestion that you use a session marker variable will
take care of this for you, no?

 
 --- rfha...@yahoo.com wrote:
 
 From: Bob Hall rfha...@yahoo.com
 To: Tomcat Users List users@tomcat.apache.org
 Subject: Re: Session Timeout - Filter Not Called
 Date: Mon, 12 Apr 2010 23:58:45 -0700 (PDT)
 
 Paul,
 
 --- On Mon, 4/12/10 at 7:21 AM, Paul Carroll pcarr...@nfmail.net wrote:
 
 That works in that my filter is
 called when the session times out and the user is redirected
 to the login page.  However, the Referer header makes
 no indication that the user is logging in.
 
 What does the referrer header contain?
 
 If the request URI is not null, then I can redirect them to the requested
 URI if it has been determined that it is a safe area that
 does not need any session variables established.  Is
 there a way to determine if the user's session has timed out
 and the user is logging in once again?
 
 Check for the session variables that would have been set?
 
 - Bob
 
 
 
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
 
 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkvQtVYACgkQ9CaO5/Lv0PB3lQCfZVO1HEaBGdeIQpsKb3ebkLp5
eUIAn1DndzYGedUzYnapHgKi5DOasGpz
=NbBJ
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Session Timeout - Filter Not Called

2010-04-22 Thread Paul Carroll
Yes.  I put the session marker in my filter and I perform a simple check each 
time through the filter to determine if the marker exists and to check if it 
equals the current session id.

Thanks.

--- ch...@christopherschultz.net wrote:

From: Christopher Schultz ch...@christopherschultz.net
To: Tomcat Users List users@tomcat.apache.org
Subject: Re: Session Timeout - Filter Not Called
Date: Thu, 22 Apr 2010 16:45:10 -0400

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Paul,

On 4/22/2010 2:44 PM, Paul Carroll wrote:
 I guess what I really need to be able to do is determine when a user creates 
 a new session.  This could either be done by the user opening the browser and 
 browse to our application where the user logs in and the new session is 
 created.  Or the user's session times out and the user is presented with our 
 login page and the user will login and a new session is created.

I think Bob's suggestion that you use a session marker variable will
take care of this for you, no?

 
 --- rfha...@yahoo.com wrote:
 
 From: Bob Hall rfha...@yahoo.com
 To: Tomcat Users List users@tomcat.apache.org
 Subject: Re: Session Timeout - Filter Not Called
 Date: Mon, 12 Apr 2010 23:58:45 -0700 (PDT)
 
 Paul,
 
 --- On Mon, 4/12/10 at 7:21 AM, Paul Carroll pcarr...@nfmail.net wrote:
 
 That works in that my filter is
 called when the session times out and the user is redirected
 to the login page.  However, the Referer header makes
 no indication that the user is logging in.
 
 What does the referrer header contain?
 
 If the request URI is not null, then I can redirect them to the requested
 URI if it has been determined that it is a safe area that
 does not need any session variables established.  Is
 there a way to determine if the user's session has timed out
 and the user is logging in once again?
 
 Check for the session variables that would have been set?
 
 - Bob
 
 
 
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
 
 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkvQtVYACgkQ9CaO5/Lv0PB3lQCfZVO1HEaBGdeIQpsKb3ebkLp5
eUIAn1DndzYGedUzYnapHgKi5DOasGpz
=NbBJ
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Session Timeout - Filter Not Called

2010-04-13 Thread Bob Hall
Paul,

--- On Mon, 4/12/10 at 7:21 AM, Paul Carroll pcarr...@nfmail.net wrote:

 That works in that my filter is
 called when the session times out and the user is redirected
 to the login page.  However, the Referer header makes
 no indication that the user is logging in.

What does the referrer header contain?

 If the request URI is not null, then I can redirect them to the requested
 URI if it has been determined that it is a safe area that
 does not need any session variables established.  Is
 there a way to determine if the user's session has timed out
 and the user is logging in once again?

Check for the session variables that would have been set?

- Bob




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Session Timeout - Filter Not Called

2010-04-12 Thread Paul Carroll
That works in that my filter is called when the session times out and the user 
is redirected to the login page.  However, the Referer header makes no 
indication that the user is logging in.  In Jetty, the Referer header would be 
/login.do.  This would indicate that the user is logging in.  If the request 
URI is not null, then I can redirect them to the requested URI if it has been 
determined that it is a safe area that does not need any session variables 
established.  Is there a way to determine if the user's session has timed out 
and the user is logging in once again?

--- rfha...@yahoo.com wrote:

From: Bob Hall rfha...@yahoo.com
To: Tomcat Users List users@tomcat.apache.org
Subject: Re: Session Timeout - Filter Not Called
Date: Sun, 11 Apr 2010 22:52:37 -0700 (PDT)

Paul,

--- On Sun, 4/11/10, Paul Carroll pcarr...@nfmail.net wrote:

 I am using Tomcat 6.0 on Windows
 Server 2003.  It seems that when my session expires I
 am redirected to the login page which I would expect. 
 However, my filter is not called when I am redirected to the
 login page.  When I used Jetty as my web server, the
 call was intercepted by the filter before the user was
 presented the login page.  Does anyone know why this is
 the case?  The following is the sections of my web.xml
 that contains the filter info.
 
 filter
   filter-nameSessionTimeoutFilter/filter-name
     filter-classcom.mycompany.ui.filters.SessionTimeoutFilter/filter-class
       init-param
         param-namehome/param-name
         param-value/home.do/param-value
       /init-param
     /filter
 
     filter-mapping
       filter-nameSessionTimeoutFilter/filter-name
       servlet-nameaction/servlet-name
     /filter-mapping
 
     servlet
   servlet-nameaction/servlet-name
       servlet-classcom.mycompany.ui.web.ActionServlet/servlet-class
       init-param
         param-nameconfig/param-name
   /init-param
     /servlet

 servlet-mapping 
   servlet-nameaction/servlet-name
       url-pattern*.do/url-pattern
     /servlet-mapping
 
 
 My index.jsp contains 1 line which redirects to home.do.
 

Your filter is mapped to servlet-name action which is mapped to url-pattern 
*.do

Don't know about Jetty, but you will probably get the behavior you expect if 
you change the filter-mapping element to use:
  url-mapping/*/url-mapping (and remove servlet-name)

- Bob





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





Re: Session Timeout - Filter Not Called

2010-04-12 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Paul,

On 4/11/2010 7:11 PM, Paul Carroll wrote:
 I am using Tomcat 6.0 on Windows Server 2003.  It seems that when my
 session expires I am redirected to the login page which I would
 expect.  However, my filter is not called when I am redirected to the
 login page.  When I used Jetty as my web server, the call was
 intercepted by the filter before the user was presented the login
 page.  Does anyone know why this is the case?  The following is the
 sections of my web.xml that contains the filter info.

Valves are called before filters, and Tomcat's authentication and
authorization are implemented as Valves. I don't believe you can have
your filter run before the auth Valve.

If you need your filter to run first, you can use a filter-based
implementation of authentication/authorization such as securityfilter
(http://securityfilter.sourceforge.net).

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkvDQb0ACgkQ9CaO5/Lv0PBilQCfad+n775Jion08oe0qpKfPxew
vWIAn0CtKOSgmMpW0V3JbrF/MncD3Fqj
=bPkC
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Session Timeout - Filter Not Called

2010-04-12 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Paul,

On 4/11/2010 7:11 PM, Paul Carroll wrote:
 I am using Tomcat 6.0 on Windows Server 2003.  It seems that when my
 session expires I am redirected to the login page which I would
 expect.  However, my filter is not called when I am redirected to the
 login page.  When I used Jetty as my web server, the call was
 intercepted by the filter before the user was presented the login
 page.  Does anyone know why this is the case?  The following is the
 sections of my web.xml that contains the filter info.

Valves are called before filters, and Tomcat's authentication and
authorization are implemented as Valves. I don't believe you can have
your filter run before the auth Valve.

If you need your filter to run first, you can use a filter-based
implementation of authentication/authorization such as securityfilter
(http://securityfilter.sourceforge.net).

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkvDQb0ACgkQ9CaO5/Lv0PBilQCfad+n775Jion08oe0qpKfPxew
vWIAn0CtKOSgmMpW0V3JbrF/MncD3Fqj
=bPkC
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Session Timeout - Filter Not Called

2010-04-11 Thread Paul Carroll
I am using Tomcat 6.0 on Windows Server 2003.  It seems that when my session 
expires I am redirected to the login page which I would expect.  However, my 
filter is not called when I am redirected to the login page.  When I used Jetty 
as my web server, the call was intercepted by the filter before the user was 
presented the login page.  Does anyone know why this is the case?  The 
following is the sections of my web.xml that contains the filter info.

filter
filter-nameSessionTimeoutFilter/filter-name

filter-classcom.mycompany.ui.filters.SessionTimeoutFilter/filter-class
init-param
param-namehome/param-name
param-value/home.do/param-value
/init-param
   /filter

filter-mapping
filter-nameSessionTimeoutFilter/filter-name
servlet-nameaction/servlet-name
/filter-mapping

  servlet
servlet-nameaction/servlet-name
servlet-classcom.mycompany.ui.web.ActionServlet/servlet-class
init-param
  param-nameconfig/param-name
  param-value/WEB-INF/struts-config.xml/param-value
/init-param
init-param
  param-namedebug/param-name
  param-value0/param-value
/init-param
init-param
  param-namedetail/param-name
  param-value0/param-value
/init-param
init-param
  param-namemaxFileSize/param-name
  param-value250M/param-value
/init-param
load-on-startup0/load-on-startup
  /servlet

  servlet-mapping
servlet-nameaction/servlet-name
url-pattern*.do/url-pattern
  /servlet-mapping


  servlet
servlet-nameaction/servlet-name
servlet-classcom.mycompany.ui.web.ActionServlet/servlet-class
init-param
  param-nameconfig/param-name
  param-value/WEB-INF/struts-config.xml/param-value
/init-param
init-param
  param-namedebug/param-name
  param-value0/param-value
/init-param
init-param
  param-namedetail/param-name
  param-value0/param-value
/init-param
init-param
  param-namemaxFileSize/param-name
  param-value250M/param-value
/init-param
load-on-startup2/load-on-startup
  /servlet

  servlet-mapping
servlet-nameaction/servlet-name
url-pattern*.do/url-pattern
  /servlet-mapping

  welcome-file-list
welcome-file/index.jsp/welcome-file
welcome-file/index.htm/welcome-file
welcome-file/index.html/welcome-file
  /welcome-file-list

login-config
auth-methodFORM/auth-method
realm-namemycompany/realm-name
form-login-config
form-login-page/login.jsp/form-login-page
form-error-page/loginError.do/form-error-page
/form-login-config
/login-config

My index.jsp contains 1 line which redirects to home.do.

Thanks.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Session Timeout - Filter Not Called

2010-04-11 Thread Bob Hall
Paul,

--- On Sun, 4/11/10, Paul Carroll pcarr...@nfmail.net wrote:

 I am using Tomcat 6.0 on Windows
 Server 2003.  It seems that when my session expires I
 am redirected to the login page which I would expect. 
 However, my filter is not called when I am redirected to the
 login page.  When I used Jetty as my web server, the
 call was intercepted by the filter before the user was
 presented the login page.  Does anyone know why this is
 the case?  The following is the sections of my web.xml
 that contains the filter info.
 
 filter
   filter-nameSessionTimeoutFilter/filter-name
     filter-classcom.mycompany.ui.filters.SessionTimeoutFilter/filter-class
       init-param
         param-namehome/param-name
         param-value/home.do/param-value
       /init-param
     /filter
 
     filter-mapping
       filter-nameSessionTimeoutFilter/filter-name
       servlet-nameaction/servlet-name
     /filter-mapping
 
     servlet
   servlet-nameaction/servlet-name
       servlet-classcom.mycompany.ui.web.ActionServlet/servlet-class
       init-param
         param-nameconfig/param-name
   /init-param
     /servlet

 servlet-mapping 
   servlet-nameaction/servlet-name
       url-pattern*.do/url-pattern
     /servlet-mapping
 
 
 My index.jsp contains 1 line which redirects to home.do.
 

Your filter is mapped to servlet-name action which is mapped to url-pattern 
*.do

Don't know about Jetty, but you will probably get the behavior you expect if 
you change the filter-mapping element to use:
  url-mapping/*/url-mapping (and remove servlet-name)

- Bob





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org