I would like Tomcat to automatically redirect to a special session expiry
notification page when a user session times out. I am currently using the
meta tag to force redirection as follows:
<meta http-equiv="refresh"
content="${pageContext.session.maxInactiveInterval};url=sessionTimeout.jsp">
However, I also have an unload Javascipt directive in some of my pages to
prompt users when they navigate away from these pages. The JavaScirpt code
looks like this:
window.onbeforeunload = confirmUnload();
function confirmUnload() {
return "Navigate away?";
}
I am not sure I understand exactly why, but it seems to me that, although
the sessionTimeout.jsp page is not protected, if the user responds to
"Navigate away" prompt after Tomcat removes the session from the session
list, then, Tomcat presents the login form instead of the session expiry
notification page. Once user submits the login form, Tomcat reports an HTTP
Status 400 - Invalid direct reference to form login page. I am not sure
exactly what happens behind the scens and would like to get some advice to
better troubleshoot or fix this kind of issue.
I would also like to know why ${pageContext.session.maxInactiveInterval}
evaluates to 900 even if I set the session-timeout variable to 1 minute in
the application web.xml configuration file (and even in Tomcat conf/web.xml
file). I find it odd that looking at the manager application main page, the
sessions listed on that page show Expire sessions with idle >= 1 minutes,
but yet, the TTL in the application session page starts at 15 minutes and
session only expires after 15 minutes.
I am using Tomcat 6.0.18.
Martin
