tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hayo Schmidt <Str...@hayo.de>
Subject How do i handle session-timeout in an acceptable manner?
Date Wed, 01 Oct 2003 15:16:09 GMT
I have a built a web application on Tomcat 4.1.18. The application is 
running with a HTTPS connection. session-timeout is configured and works 
so far. But i am absolutely not satisfied with what happens when a 
timeout occurs.
The web application is configured for form based authentication. When 
the connection has timed out, the user is presented the login page when 
he does his next action. And, all data saved with the session are lost. 
Fine -  i could live with that.

But what happens in a real case:
- The user waits too long - timeout.
- The user pushes an INPUT type="submit" and creates a POST operation.
- Tomcat redirects to the login page.
- The user logs in.
- Tomcat redirects to the original aim of the post operation, but he 
does it as a GET operation.
Alternative 1:
- My application does not allow get operations at this place ==> 
Application Error.
Alternative 2:
- The application allows the vulnerable get operation, but the button 
that was pushed is not passed anymore ==> Application Error.

Now what can i do? I must interfere the session timeout to do an 
operation. Or i should be able to detemine that the current request is 
the first after a timeout. The way my application currently crashes is 
not acceptable.

Hayo Schmidt


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message