tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Milt Epstein <>
Subject Re: Session timeout setting (URGENT)
Date Fri, 20 Dec 2002 20:33:59 GMT
On Fri, 20 Dec 2002, Kenny G. Dubuisson, Jr. wrote:

> Simple minded as I am, I still believe with everything I have that
> there MUST be a setting in Tomcat that controls how often new
> session ID's are generated.  If I have a simple page that does
> nothing but a "session.getId()" and it returns a new session ID
> every 60 mins, there must be something in Tomcat that sets this
> interval.  Obviously this setting is missing from my config files so
> that Tomcat uses it's default.  Has no one ever wanted to change
> this setting before?  I hate to sound beligerent but I've authored
> and released what I feel to be a very nice application/web site but
> the only feedback I'm getting is litterally users screaming at me
> because I haven't fixed this yet.  I'm going to have to start
> looking at redesigning the login/verification process on every page
> (not a big site but still 20K of code) to work around this issue
> when I feel it has to be a simple setting.

First of all, I couldn't tell from your description in your first
message in this thread the other day whether you're using your own
session cookie mechanism, or whether you're using the standard session
API mechanism.  Could you clarify that?  If you are using your own,
what you're seeing could be some artifact of that.

Otherwise, instead of assuming there is some simple setting to change,
I'd suggest taking a closer look at your own code, and how you're
using the built-in facilities, even posting the code here if you're
not sure, to see if the problem lies there.  Several people have
already pointed out the standard mechanisms for handling session
timeouts, and I'm not sure there's anything else to say about that --
it looks like a dead end.

BTW, do you really have a page that just does session.getId() and
you're seeing this problem with that?

I'd also suggest you really verify that it is the regular session
timeout that is going on.  You might be able to do that bu checking
the logs, or at worst, write your own SessionActivationListener (or
whatever it's called) to catch the session being deactivated and
record that.

Actually, if the session is being deactivated/renewed an hour after
it's created, regardless of activity, then it most likely is not the
standard session timeout that's causing it, because that's an *idle*
timeout, not a duration timeout.

In sum, I really think you need to do some more investigation into
what's going on, by checking logs and/or trying some things to see
what happens, etc., as opposed to looking for a quick fix.  Sorry, but
that's generally the way things work.

Milt Epstein
Research Programmer
Integration and Software Engineering (ISE)
Campus Information Technologies and Educational Services (CITES)
University of Illinois at Urbana-Champaign (UIUC)

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message