Chris,
On 12/1/2015 1:28 PM, Christopher Schultz wrote:
Jerry,
On 12/1/15 12:30 PM, Jerry Malcolm wrote:
I'm looking for a way to detect that the current session has expired (or
logged out via another tab on the browser). I know I could just issue
dummy requests to the server and see if a login page comes back. But
issuing requests automatically resets the session timer. I need a benign
way to query that doesn't keep the session alive forever.
I'm sure this problem has been solved before. But basically, I want to
know that the session is no longer valid and force the user back to the
login page. I know one possibility is to set the Tomcat timer to 30 min
expiration, and then keep a '29 minute' timer running in the browser.
But my clients can change the tomcat session timer length.
When you generate your HTML page, toss the
HttpSession.getMaxInactiveInterval into the page somewhere, then wait
that number of minutes. Don't hard-code 29 minutes (though 31 would have
been a better time to wait if you didn't want to automatically-extend
the session).
And also this doesn't account for a logoff using the same session on
a different browser tab. I'd really like a pro-active query method
if anything like that exists.
Try something like this:
- Set -Dorg.apache.catalina.core. StandardHostValve.ACCESS_SESSION=false
(false is the default if org.apache.catalina.STRICT_SERVLET_COMPLIANCE
is not set to "true")
Does this go in service.bat? Separate line?
- Write a quick page like this:
session-check.jsp:
<?jsp session="false" contentType="application/json" ?>
{ "valid" : <%= request.isRequestedSessionIdValid() %> }
Then you can request this page to see the value of "valid".
I wasn't able to tell if the isRequestedSessionIdValid method is
supposed to "touch" the session's last-update-timestamp. I read some
code in Tomcat and didn't find a "touch" but that doesn't mean it
couldn't change. I didn't see anything in the spec that specifically
said that method doesn't "touch" the session.
This makes sense as long as it truly does not keep the session alive.
Just to be sure I understand things, if I first access an unprotected
file requiring no login, I'll have a valid session. But I'll still get
the login page if later I access a protected file in that same session,
correct? Not a big deal. I'll just have to only use this on pages that
assure a login has occurred. Also, I assume I should put the
session-check.jsp in an unprotected folder, otherwise I'll get a login
challenge before I even can get to the session-check, right?
Thanks.
Jerry
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
