Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
Content-Class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: How do i handle session-timeout in an acceptable manner?
Date: Thu, 2 Oct 2003 08:14:55 -0400
Message-ID: <7503E16AAE4DB3498884AB2DC4B779D501A51113@fernhill.sfsltd.com>
Thread-Topic: How do i handle session-timeout in an acceptable manner?
Thread-Index: AcOIwEp2QgSdVU82QQmWGbzoqhqZngAHaN5g
From: "Jeremy Nix" <Jeremy.Nix@sfsltd.com>
To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>

> The problem with your solution is, that the application does not know=20
> where to continue after the login page. This will result in an error.
If you want your login page to redirect you back to the page that the
user timed out on, then why don't you just add a hint to the login url
so that after the user has logged in, then your application will know
where to redirect them.

>=20
> I have implemented this workaround:
>=20
>     protected void doGet(
>         HttpServletRequest httpServletRequest,
>         HttpServletResponse httpServletResponse)
>         throws ServletException, IOException {
>=20
>         String reqURI =3D httpServletRequest.getRequestURI();
>         if ((reqURI.indexOf("/actions/") !=3D -1)) {
>             // Calling of 'actions' via get is not allowed
>             String referer =3D =
httpServletRequest.getHeader("referer");
>             if ((referer !=3D null) &&=20
> (referer.endsWith("/loginpage.jsp))) {
>                 // if this happens, we probably had a Time-Out
>                 RequestDispatcher dispatcher =3D=20
> getServletContext().getRequestDispatcher("/timeout_info.jsp");
>           =20
>                 dispatcher.forward(httpServletRequest,=20
> httpServletResponse);
>             } else {
>                 throw new ServletException("Action forbidden.");
>             }
>         } else {
>              // Call shared, standard request processing code.
>             processRequest(httpServletRequest, httpServletResponse);
>         }
>     }
>=20
> What it does: if there is a get call to an URL that should be=20
> called as=20
> post, and the referer is the login page, then forward the request to=20
> some kind of informational message.
>=20
> Of course there can't be any guarantee this works with coming=20
> versions=20
> of Tomcat. So i would like to have an general solution.
>=20
> Hayo Schmidt
>=20
> ---------------------------------------------
>=20
> Shapira, Yoav wrote:
>=20
> >Howdy,
> >Here's an idea: add an HTML META refresh tag to each page whose=20
> >redirect URL is the login page and whose timeout is the=20
> session timeout=20
> >less a few seconds.  That way the user will get redirected=20
> to the login=20
> >page before the session timeout -- they won't be able to press the=20
> >submit button.
> >
> >Yoav Shapira
> >Millennium ChemInformatics
> >
> >
> > =20
> >
> >>-----Original Message-----
> >>From: Hayo Schmidt [mailto:Strato@hayo.de]
> >>Sent: Wednesday, October 01, 2003 11:16 AM
> >>To: Tomcat Users List
> >>Subject: How do i handle session-timeout in an acceptable manner?
> >>
> >>I have a built a web application on Tomcat 4.1.18. The=20
> application is=20
> >>running with a HTTPS connection. session-timeout is configured and
> >>   =20
> >>
> >works
> > =20
> >
> >>so far. But i am absolutely not satisfied with what happens when a=20
> >>timeout occurs. The web application is configured for form based=20
> >>authentication. When the connection has timed out, the user is=20
> >>presented the login page when he does his next action. And,=20
> all data=20
> >>saved with the session are lost. Fine -  i could live with that.
> >>
> >>But what happens in a real case:
> >>- The user waits too long - timeout.
> >>- The user pushes an INPUT type=3D"submit" and creates a POST=20
> operation.
> >>- Tomcat redirects to the login page.
> >>- The user logs in.
> >>- Tomcat redirects to the original aim of the post=20
> operation, but he=20
> >>does it as a GET operation. Alternative 1:
> >>- My application does not allow get operations at this place =3D=3D>
> >>Application Error.
> >>Alternative 2:
> >>- The application allows the vulnerable get operation, but=20
> the button
> >>that was pushed is not passed anymore =3D=3D> Application Error.
> >>
> >>Now what can i do? I must interfere the session timeout to do an=20
> >>operation. Or i should be able to detemine that the current=20
> request is=20
> >>the first after a timeout. The way my application currently=20
> crashes is=20
> >>not acceptable.
> >>
> >>Hayo Schmidt
> >>
> >>
> >>------------------------------------------------------------
> ---------
> >>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> >>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >>   =20
> >>
> >
> >
> >
> >
> >This e-mail, including any attachments, is a confidential business=20
> >communication, and may contain information that is confidential,=20
> >proprietary and/or privileged.  This e-mail is intended only for the=20
> >individual(s) to whom it is addressed, and may not be saved, copied,=20
> >printed, disclosed or used by anyone else.  If you are not the(an)=20
> >intended recipient, please immediately delete this e-mail from your=20
> >computer system and notify the sender.  Thank you.
> >
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> >For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
> >
> > =20
> >
>=20
>=20

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org