tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Tomcat Realm Auto-Relogin after Session-Timeout Problem
Date Thu, 17 Sep 2009 16:35:35 GMT
Hash: SHA1


On 9/17/2009 4:56 AM, Mark Thomas wrote:
> atroiano wrote:
>> Is it possible?
> The way you describe? No.


> If you want this then you have a couple of options:
> a) Do what Chris said and pass state back and forth in the request/response

More specifically, architect your session such that a few pieces of
information can re-create the session state, rather than having to
encode /all/ session state in the URL (otherwise, you'd never need the
session, now, would you?).

Here is a concrete example: we deliver questionnaires on-line to
respondents. If their session times out in the middle of taking a
questionnaire, we want them to be able to resume right where they were.
We put the "id" of the questionnaire they are taking right into the URLs
of any links, and into any forms they can submit (answering a question
submits a form, so usually we're talking about POST parameters here).

If the session times out, the next request (after successful
authentication, that is) will have nothing available but the
questionnaire id. The code that manages the questionnaire will look for
the session objects, and, not finding them, will take the id from the
request, reconstruct everything in the session necessary to continue the
questionnaire in-progress (because the state of the /questionnaire/, not
the session itself, is stored in our database), and then resume the

So, although we have a bunch of information stored in the session in
order to deliver the questionnaire quickly, the disappearance of the
data in the session is tolerable: we simply recover by re-building the
session information given that one special request parameter.

Of course, you have to architect your application to work this way.
There is no special configuration option for Tomcat (nor any other app
server for that matter) that can simple recover your session for you
after it expires.

> b) Buy more memory and have longer session expiration times
> c) Look into using the persistent session manager

There's another option if you want drop-in session recovery. It's a
giant hack, won't work except under the best of circumstances, and
probably counts as bad design (it IS a giant hack), but you could:

1. Make sure everything in your session is Serializable
   (always a good thing)
2. Make sure every URL you use is run through response.encodeURL()
   (including form actions!)
3. Write a filter that does the following:

   a. Wraps the response in a special subclass of
      HttpServletResponseWrapper (see below)
   b. Checks for the presence of a session, then checks the session
      for a magic attribute (say, "SESSION_CONFIGURED" or whatever)
   c. If the magic attribute does not exist, recovers the session
      (see below)
   d. Calls the next filter in the chain

4. Write an HttpServletResponseWrapper that overrides encodeURL
   and encodeRedirectURL to do the following:

   a. Serialize all session attributes to a GzipOutputStream,
      then encrypt them using some decent encryption algorithm
      (such as 3DES, Blowfish, etc.), then add this data to the
      URL in a unique parameter like SESSION or whatever.

Session recovery is simple: just decrypt the SESSION request parameter,
deserialize the data, and shove it into the session. Instant session

Here are some potential problems:

* See #1 and #2 above
* If you have a lot of session data, you may exceed the URL length limit
* Performance will suffer due to all that encryption being done for
  every URL you generate

But, if you have small session data, this might work.

Hope that helps,
- -chris
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message