-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Konstantin,

On 7/14/2011 10:53 AM, Christopher Schultz wrote:
> On 7/14/2011 10:40 AM, Konstantin Kolinko wrote:
>> 
>> I cannot say without reading the letter of the spec.
> 
> I'll take a look.

Servlet 3.0 section 14.4.10 is the only place I can see that
cookie-config is mentioned at all. Unfortunately, it's shown in an image
and therefore not findable using text search. :( It doesn't show that
cookie-config has any sub-elements, either (just that they exist, it
just doesn't show them).

So, we have to turn to the XML Schema documentation for the element.

The parent schema, http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd,
says nothing because the definitions come from
http://java.sun.com/xml/ns/javaee/web-common_3_0.xsd, where
cookie-config is defined along with it's sub elements, including <max-age>:

      <xsd:element name="max-age"
                   type="javaee:xsdIntegerType"
                   minOccurs="0">
        <xsd:annotation>
          <xsd:documentation>

            The lifetime (in seconds) that will be assigned to any
            session tracking cookies created by this web application.
            Default is -1

          </xsd:documentation>
        </xsd:annotation>
      </xsd:element>

That's pretty much all we have to go on.

Since it's a cookie property, the server has no control over it after
the initial Set-Cookie response header. That is, the client controls the
actual expiration of the cookie as it sees fit.

java/org/apache/catalina/connector/Request.doGetSession (and, later,
java/org/apache/catalina/connector/Request.changeSessionId) are
responsible for actually creating the session cookies and then adding
them to the response.

I don't see any logic in there for checking the max-age and re-sending
the cookie to update the client.

The question, though, is what is the intent of the setting? There are
two ways to interpret <cookie-config><max-age>:

1. The value is used to set an absolute maximum age of the cookie,
   relative to the creation of the session. The cookie expires after
   that, and the session is effectively lost after that. The semantics
   here are of a server session with a client-enforced expiration
   some fixed time in the future, regardless of how recently the
   user visited the server.

2. The value is used to set a sliding maximum age of the cookie,
   essentially mirroring the server-side behavior with a client-enforced
   session expiration (by proxy via the cookie).

#1 seems like it could be useful if you wanted a hard-maximum on the
length of the session, like "in 10 hours, you're done no matter what".

#2 seems like it solves a historically spec-ignored situation: allowing
cookie-based sessions to survive a browser restart. When using URL
rewriting, the session only expires if the server says it does, and this
allows cookie-based session tracking to enjoy the same benefits.

If #2 is the intended behavior, then this is a bug in Tomcat.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk4gU5MACgkQ9CaO5/Lv0PAoAACfW3jw8bcuaUze4b2+EtEUP6eV
PU0An0tSpjNAz2zKnTwY56vFHj16AE2x
=ZpJv
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to