tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Shaw <>
Subject Re: Session timeout issues
Date Fri, 16 Sep 2005 10:24:11 GMT
On 15/09/05, Leon Rosenberg <> wrote:
> Hi,
> I don't know if this fits, but could it be, that your problem is
> related to the tomcat session synchronization bug?

That does look like a potential issue.  However, I think I may have
tracked this down to cookies and switching between HTTP and HTTPS.

There are two scenarios:
1) User starts at an HTTP page and is given a cookie.  This cookie can
be used in secure
and non secure requests.

2) User starts at an HTTPS page and is given a cookie.  This cookie is
only valid for secure requests (because it has Set-Cookie: ....
;Secure in the response header).  When a user is redirected to an HTTP
page they are given a *new* cookie and a new HttpSession is created on
the server.

Can you tell me the exact semantics of the secure attribute on the
<connector> element?  The documentation just says "Set this attribute
to true if you wish to have calls to request.isSecure() to return true
 for requests received"

James Shaw

> On 9/15/05, James Shaw <> wrote:
> > On 14/09/05, James Shaw <> wrote:
> > > I have two issues relating to sessions:
> > >
> > > 1) Sessions seem to be expired too soon.  This happens very
> > > infrequently for me (perhaps 1 in 1000 requests).  I'm adding some
> > > HttpSessionListeners and HttpSessionAttributeListeners to attempt to
> > > locate this problem, but have little to go on at the moment.
> > >
> > I have some more info on this problem.  During the login process, the
> > original JSESSIONID that tomcat gives to the browser is being lost and
> > a new HttpSession with a new id is being created.  So either the
> > browser is not sending the cookie containing the session id, or Tomcat
> > is somehow losing the id.
> >
> > Does anyone have an idea what this problem could be?  Perhaps you
> > could point me to some information about how Tomcat receives cookies
> > and maps these to their respective HttpSession objects.
> >

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message