tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Singleton <>
Subject Re: Detecting Session Timeout in Tomcat
Date Wed, 19 Oct 2005 11:53:54 GMT
Brian Blount wrote:

> I need to be able to distinguish between a session
> timeout vs the first time someone accesses my web
> application.  Within a single web application, I've
> been able to use the following logic:
> (request.isRequestedSessionIdValid() == false &&
>  (request.isRequestedSessionIdFromCookie() ||
>   request.isRequestedSessionIdFromURL()))

This assumes that any request containing an invalid
session id refers to a timed-out session (although it
could be something else...)

(this trick is new to me, and looks like being more
use to me than it is to you - thanks! :-)

> However, I am running multiple web applications with
> single-sign-on enabled between them, so when I first
> navigate from one web application to the next, the
> above expression evaluates to true even though my
> session has not timed out.

presumably because the unrecognised session id actually
refers to a (possibly valid) session in another web app?

> Is there a better way of detecting session timeouts in
> tomcat?

each web app could maintain a Set of issued session ids
to enable it to distinguish expired ones from alien ones
(at least until the app was restarted)

or your bunch of apps could share their collections of
issued session ids via a database

I guess this isn't Tomcat-specific: the (next?) API could
do a little more to help you in these circumstances?

Paul Singleton

No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.12.4/142 - Release Date: 18/Oct/2005

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message