tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: session-timeout not taking effect
Date Wed, 15 Sep 2010 14:25:50 GMT
Hash: SHA1


On 9/14/2010 6:27 PM, André Warnier wrote:
> Debbie Shapiro wrote:
>> Hi Wesley -
>> I logged in to my web app, ran a report and then left it alone for 45
>> minutes. Came back and tried to run another report. I was expecting to
>> receive a prompt to login again, but instead it runs the second report.
>> I also have a case open with InetSoft on this, but they are pointing me
>> to my Tomcat configuration.
> A question to the developers maybe : does the timeout attribute mean
> that the server /must/ time out the session after that period of
> inactivity, or just that it /may/ time it out ? (such as for example if
> it needs to, because it needs the space)

See the spec (r2.5 in this case) SRV.7.5 "Session Timeouts":

In the HTTP protocol, there is no explicit termination signal when a
client is no longer active. This means that the only mechanism that can
be used to indicate when a client is no longer active is a timeout period.


Once the session invalidation is initiated, a new request must not
be able to see that session.

So, the spec defines the default inactive timeout, indicates that the
server should (but does not exactly say MUST/SHALL, though it's pretty
clear that enforcement is not optional) expire timed-out sessions and
that, once timed-out, they are no longer allowed to be used.

- -chris
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message