-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 André,
On 9/14/2010 6:27 PM, André Warnier wrote: > Debbie Shapiro wrote: >> Hi Wesley - >> I logged in to my web app, ran a report and then left it alone for 45 >> minutes. Came back and tried to run another report. I was expecting to >> receive a prompt to login again, but instead it runs the second report. >> I also have a case open with InetSoft on this, but they are pointing me >> to my Tomcat configuration. >> > A question to the developers maybe : does the timeout attribute mean > that the server /must/ time out the session after that period of > inactivity, or just that it /may/ time it out ? (such as for example if > it needs to, because it needs the space) See the spec (r2.5 in this case) SRV.7.5 "Session Timeouts": " In the HTTP protocol, there is no explicit termination signal when a client is no longer active. This means that the only mechanism that can be used to indicate when a client is no longer active is a timeout period. ... Once the session invalidation is initiated, a new request must not be able to see that session. " So, the spec defines the default inactive timeout, indicates that the server should (but does not exactly say MUST/SHALL, though it's pretty clear that enforcement is not optional) expire timed-out sessions and that, once timed-out, they are no longer allowed to be used. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyQ124ACgkQ9CaO5/Lv0PBsUwCfTwV0sMfcYjThZu/sY29B3m9q sYkAnRE8wjR97tqESEcxTSLZWsloo0V/ =T6Qg -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
