Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Developers List" <dev@tomcat.apache.org>
Received-SPF: neutral (nike.apache.org: local policy)
Subject: Question about endAccess method in
 org.apache.catalina.session.StandardServlet
From: Ben Souther <bsouther@fwdco.com>
Reply-To: bsouther@fwdco.com
To: dev@tomcat.apache.org
Content-Type: text/plain
Organization: F. W. Davison & Co, Inc
Date: Wed, 08 Jun 2011 13:33:21 -0400
Message-Id: <1307554401.7252.46.camel@ben-laptop>
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit

I'm wondering if anyone can tell me why the endAccess method (which
resets the lastAccessedTime) in
org.apache.catalina.session.StandardServlet is called by the
org.apache.catalina.connector.request.recycle() method.


    /**  
     * End the access.
     */
    @Override
    public void endAccess() {

        isNew = false;

        /**
         * The servlet spec mandates to ignore request handling time
         * in lastAccessedTime.
         */
        if (LAST_ACCESS_AT_START) {
            this.lastAccessedTime = this.thisAccessedTime;      // <<=====<<< Here
            this.thisAccessedTime = System.currentTimeMillis();
        } else {
            this.thisAccessedTime = System.currentTimeMillis();
            this.lastAccessedTime = this.thisAccessedTime;      // <<=====<<< Here
        }

        if (ACTIVITY_CHECK) {
            accessCount.decrementAndGet();
        }

    }    


I'm asking because this, along with another change in TC7 breaks a
feature in my application (that has been working well in 5.5 and 6.x) by
causing every request, even to static resources like html pages, and
images, to reset the session counter.


The feature, for the curious, is an AJAX timer that can sync up with the
server to let the user know how much time is left in their session. With
listeners, I was able to store references to all active sessions in a
context scoped object.  The AJAX timer is able to read the maxInactive
and lastAccessedTime properties of the user's session, without tripping
the counter, to show them how much time is left in their session.  It
improves the security of our app by redirecting the user to the login
screen if they left the browser running until the app's session expired.
It's nice that it's able to double check to insure that it didn't switch
screens on the user until the server's session has definitely expired.


I'm able to get this working by commenting out the lines in this method
and by altering the
org.apache.catalina.connector.request.getSessionInternal method so that
it gets session handles without calling the access() method of the
session.


The spec states that every call to getSession() and getSession(boolean)
should reset the session timer but it isn't clear as to whether
requests that don't call these methods should or shouldn't update the
timer.

I'd be more than happy to put together a small patch that gets Tomcat to
handle this the way it did in version 6 if anyone is interested.

Thanks for your time.
-Ben


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org