______________________________________ From: Dan Haywood [[email protected]] Sent: Friday, July 04, 2014 3:00 PM
> Martin just replied off-line to me, saying: > Wicket's CookieDefaults is only for custom response cookie. The JSESSIONID > cookie is not managed by Wicket at all. The JSESSIONID-cookie indeed has expiration period of "Session" but I even don't loose my session after a day. After login a cookie named "LoggedIn" is created. I've been searching for this key and found this in some Wicket authentication-class and from there I've found the CookieDefaults-class. Copying this class and changing the maxAge really is the only thing I did to configure cookie expiration (what does log me out after the expiration period indeed). > The session timeout can be managed with with web.xml's session-timeout (in > minutes) or via Servlet API - > http://docs.oracle.com/javaee/5/api/javax/servlet/http/HttpSession.html#setMaxInactiveInterval(int) > (in > seconds). I've set the session time out in web.xml but this didn't work. The expiration period for the "LoggedIn" cookie wasn't changed accordingly and my session was still there (or maybe it was restored by the LoggedIn cookie). > HTH > Dan On 4 July 2014 08:58, Dan Haywood <[email protected]> wrote: > Thanks for exploring this further, Erik. > > I've just pinged Martin Grigorov, one of the Wicket committers, and who is > good enough to keep a watching eye over other Apache projects (such as > ours) that use Wicket. I'm hoping he might be able to bring in a little > illumination into this topic. > > Dan > > > > On 4 July 2014 08:03, Erik de Hair <[email protected]> wrote: > >> It looks like the session cookie is set by wicket. There's a class >> "org.apache.wicket.util.cookies.CookieDefaults" that sets the expiration >> maxAge to 30 days. I found no way to configure this (or tell wicket to use >> my modified implementation) so I copied the class into the webapp and set >> the maxAge to the required value (and that does the trick for now). >> >> I'll try to figure out: >> - if it is possible to set the maxAge in Wicket runtime or by >> configuration >> - if Shiro is or can be involved in setting the cookie like in Dan's >> example [1] >> >> Erik >> ________________________________________ >> From: Dan Haywood [[email protected]] >> Sent: Thursday, July 03, 2014 11:52 AM >> To: users >> Subject: Re: configure session timeout >> >> Haven't played around with this myself, so can't advise. >> >> The Shiro mailing list might be a good place to ask. A quick google on >> StackOverflow also threw up [1], which might help >> >> Dan >> >> [1] >> >> http://stackoverflow.com/questions/17556787/shiro-resets-the-session-after-2-min >> >> >> >> >> On 2 July 2014 11:29, Erik de Hair <[email protected]> wrote: >> >> > Hi, >> > >> > How to configure the session timeout of the web app? I tried to set the >> > session time out in web.xml and in shiro.ini but both have no effect. >> The >> > cookie expires in a month... >> > >> > My additional shiro-config (tried to let it expire in 1 minute): >> > >> > [main] >> > ... >> > sessionManager = >> org.apache.shiro.web.session.mgt.DefaultWebSessionManager >> > # 3,600,000 milliseconds = 1 hour >> > sessionManager.globalSessionTimeout = 60000 >> > securityManager.sessionManager = $sessionManager >> > >> > >> > Thanks, >> > Erik >> > >> > >
