tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: session-timeout not taking effect
Date Wed, 15 Sep 2010 14:25:50 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

André,

On 9/14/2010 6:27 PM, André Warnier wrote:
> Debbie Shapiro wrote:
>> Hi Wesley -
>> I logged in to my web app, ran a report and then left it alone for 45
>> minutes. Came back and tried to run another report. I was expecting to
>> receive a prompt to login again, but instead it runs the second report.
>> I also have a case open with InetSoft on this, but they are pointing me
>> to my Tomcat configuration.
>>
> A question to the developers maybe : does the timeout attribute mean
> that the server /must/ time out the session after that period of
> inactivity, or just that it /may/ time it out ? (such as for example if
> it needs to, because it needs the space)

See the spec (r2.5 in this case) SRV.7.5 "Session Timeouts":

"
In the HTTP protocol, there is no explicit termination signal when a
client is no longer active. This means that the only mechanism that can
be used to indicate when a client is no longer active is a timeout period.

...

Once the session invalidation is initiated, a new request must not
be able to see that session.
"

So, the spec defines the default inactive timeout, indicates that the
server should (but does not exactly say MUST/SHALL, though it's pretty
clear that enforcement is not optional) expire timed-out sessions and
that, once timed-out, they are no longer allowed to be used.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkyQ124ACgkQ9CaO5/Lv0PBsUwCfTwV0sMfcYjThZu/sY29B3m9q
sYkAnRE8wjR97tqESEcxTSLZWsloo0V/
=T6Qg
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message