I would like Tomcat to automatically redirect to a special session expiry notification page when a user session times out. I am currently using the meta tag to force redirection as follows:
<meta http-equiv="refresh" content="${pageContext.session.maxInactiveInterval};url=sessionTimeout.jsp"> However, I also have an unload Javascipt directive in some of my pages to prompt users when they navigate away from these pages. The JavaScirpt code looks like this: window.onbeforeunload = confirmUnload(); function confirmUnload() { return "Navigate away?"; } I am not sure I understand exactly why, but it seems to me that, although the sessionTimeout.jsp page is not protected, if the user responds to "Navigate away" prompt after Tomcat removes the session from the session list, then, Tomcat presents the login form instead of the session expiry notification page. Once user submits the login form, Tomcat reports an HTTP Status 400 - Invalid direct reference to form login page. I am not sure exactly what happens behind the scens and would like to get some advice to better troubleshoot or fix this kind of issue. I would also like to know why ${pageContext.session.maxInactiveInterval} evaluates to 900 even if I set the session-timeout variable to 1 minute in the application web.xml configuration file (and even in Tomcat conf/web.xml file). I find it odd that looking at the manager application main page, the sessions listed on that page show Expire sessions with idle >= 1 minutes, but yet, the TTL in the application session page starts at 15 minutes and session only expires after 15 minutes. I am using Tomcat 6.0.18. Martin