Christopher,
So to recap, and verify my understanding...
Perhaps I am missing some valve overview.
I understand it is invoked before the filters, but after completion it would
arrive to the filter/servlet container anyway.
So what your saying is that if I build a valve and read information from IO
file or/db or any other cached data which doesn’t trigger a request.getSession
That will work?
And if so, I will still need to "break" the chain and prevent it from
continuing deeper into tomcat or else it will update the session access time
Did I get it right?
Sharon
-----Original Message-----
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: Thursday, November 10, 2011 8:04 AM
To: Tomcat Users List
Subject: Re: Session time out never takes place with ajax
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sharon,
On 11/9/11 12:56 AM, Sharon Prober (sprober) wrote:
> This is my first post here so wish me luck J
Welcome.
> My question is as follow:
>
> I have a web based application running on tomcat 6.0.29
>
> On my main page there is a polling ajax call every 5 seconds.
>
> Clearly this revalidates the session and by that renders the
> session timeout feature unusable
Yes.
> I read about two main solutions for this issue
>
> 1. Coding on the server side (filter) a simple snippet that
> identifies an ajax call based on a parameter passed and based on
> that knows if this is a valid post or a polling hit that should not
> affect the session expiration date
This is problematic for a few reasons:
1. You usually want a polling request to return something of use, which
often involves the session. You can't access the session without
updating its last-accessed-time.
2. Under certain configuration, Tomcat will update the
last-accessed-time of the session even if you don't call
request.getSession().
This may be only the case in Tomcat 7 with the following
configuration settings:
See the org.apache.catalina.core. StandardHostValve.ACCESS_SESSION
and org.apache.catalina.STRICT_SERVLET_COMPLIANCE system properties
here:
http://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html#Sessions
> 2. Create a stub webapp and redirect the calls of the polling
> to that app
I'm not sure this buys you anything: if you pass-through calls to the
"real" webapp, then you'll still be touching the session.
> So my question is, is there another way for this to be achieved?
It would be best to describe what your "ping" actually does. If it
doesn't require session access, you may have some options.
> Note. I think it might be a cool feature (with the vast ajax use
> these days) to have a configuration in the web.xml the excludes
> various paths/urls from the session validation checkups
This would, by definition, be a violation of the specification.
Instead, something like a Valve placed early in the pipeline could
avoid a session update but still perform some trivial action.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk67aUkACgkQ9CaO5/Lv0PBl2ACdHDKUqQ/zkT0dfc63MFELStLK
+a4An3kuFz39fXKymLVFBqYRMQ9xWUbX
=naid
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
