Tomcat behaves according to the Servlet/JSP specs. It creates a new session if a request is made after the previous one expires. It's not too difficult to write your own, I did.
-Write a session-timeout.jsp with a link to your login. -Define a context-param in web.xml (session-timeout-page-url) or something like that, which defines the name of your session-timeout.jsp -At the top of every servlet check for the existence of an object that get's put in session during login (an empty string will do). If it's null, forward to the session-timeout.jsp. Of course, you could also just forward straight to the login page and bypass the session-timeout.jsp altogether. If you're doing everything with JSPs, you could just use an include for the code that does the checking so you don't have to put the same code on the top of every JSP. You could also do the same thing from a Filter. On Wednesday 19 May 2004 04:35 pm, Jonathan Eric Miller wrote: > It's too bad there isn't a <session-timeout-page> element that you can put > in web.xml kind of like the <error-page> element... > > Jon > > ----- Original Message ----- > From: "Jonathan Eric Miller" <[EMAIL PROTECTED]> > To: "Tomcat Users List" <[EMAIL PROTECTED]>; > <[EMAIL PROTECTED]> > Sent: Wednesday, May 19, 2004 2:58 PM > Subject: Re: Session Timeout and "Direct Reference to login page" > > > Renato, > > > > Did you ever receive a response to this? I'm having the same problem. > > > > My current problem is slightly more complicated though. I have my > > application protected using container based security, but, I also have > > single-sign on enabled. So, the user doesn't get redirected back to the > > login page when the session times out. > > > > Previously, I used to make it so that if the session had expired > > (detected by my main JavaBean not being present (I was never able to > > figure out how > > to > > > determine whether it was a new session or one that had expired and hence > > couldn't display an error message in the later case)), I'd just redirect > > the > > > user back to the first page of my application. However, now, I'm using > > JavaServer Faces. As a result, I'm not the one implementing the > > controller part of my application, JSF is. > > > > Someone mentioned something about using HttpSessionListener. I don't see > > how > > > that can work because you don't have a handle to the request and > > response. > > > > Is there a standard way of handling session timeouts? > > > > All I want to do is detect when a session has timed out for a user and > > display a page stating such when the user makes a request after the > > session > > > has timed out. It seems like this should be a straight forward thing to > > do. > > > Am I missing something? > > > > Jon > > > > ----- Original Message ----- > > From: "Renato Romano" <[EMAIL PROTECTED]> > > To: "'Tomcat Users List'" <[EMAIL PROTECTED]> > > Sent: Tuesday, March 02, 2004 3:31 AM > > Subject: Session Timeout and "Direct Reference to login page" > > > > > I have two problems i'm facing with every web application using > > > declarative security model, that is: > > > > > > 1) Detect that the user session has expired, and forward him to an > > > appropriate login page; Usually we build webapp in which the home page > > > shows a login form; to handle this, I use to make a "index.jsp" page > > > which redirects the user to a protected page; this is handled by the > > > container which then shows my login page (as specified in web.xml) that > > > is my HOME page. With this approach however, I can't detect session > > > expirying, so if the session times out, the user is presented with the > > > HOME page (the login > > > page) without further notice or advice!! I tried to solve this with a > > > filter, but it seems the container (Tomcat 4.1.127 inside Jboss) > > > forwards to the login page without calling the filter. > > > > > > 2) If the user waits too long reading the home/login page, the sessions > > > times out, Tomcat looses the reference to the previously requested > > > protected page, and on login shows an "Invalid Direct refernce to form > > > login page" error. Again a filter seem not to be useful in this case, > > > since Tomcat commits the error without calling the filter!! > > > > > > Any help or hint on this topic is very, very appreciated > > > > > > Renato > > > > > > > > > ____________________________________ > > > Renato Romano > > > Sistemi e Telematica S.p.A. > > > Calata Grazie - Vial Al Molo Giano > > > 16127 - GENOVA > > > > > > e-mail: [EMAIL PROTECTED] > > > Tel.: 010 2712603 > > > _____________________________________ > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] -- Ben Souther F.W. Davison & Company, Inc. This e-mail message, and any accompanying documents, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, distribution or copying is prohibited. If you are not the intended recipient, please contact our office by email or by telephone at (508) 747-7261 and immediately destroy all copies of the original message. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
