tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stevo Slavić <ssla...@gmail.com>
Subject Re: Session timeouts: ignore "periodic polling" URL?
Date Sun, 20 Mar 2011 14:50:05 GMT
If ajax requests need session state, then IMO Tomcat can not help you
with that - it can not and should not differentiate requests issued by
ajax and requests issued by user. In that case one solution would be
to logout user with a logout request after timeout. Where ajax
requests live, javascript is enabled, so on page load you can just
https://developer.mozilla.org/en/DOM/window.setTimeout to logout
request, where client side timeout duration could/should be same as
server side session timeout.

Regards,
Stevo.

On Sun, Mar 20, 2011 at 3:40 PM, André Warnier <aw@ice-sa.com> wrote:
> sebb wrote:
>>
>> On 20 March 2011 11:19, André Warnier <aw@ice-sa.com> wrote:
>>>
>>> sol myr wrote:
>>>>
>>>> Hi,
>>>>
>>>> We have a Servelts/JSP application Tomcat6.
>>>> Our javascripts issues automatic, periodic polling requests (Ajax and
>>>> Comet), in order to keep the view  up-to-date.
>>>> Unfortunately this prevents sessions from timing out...
>>>>
>>>> Is there a way to tell Tomcat that some URL shouldn't affect session
>>>> timeouts?
>>>> Namely if for the last 30 minutes, the browser requested nothing but
>>>> "http://server/autoRefresh.do" , then Tomcat should assume the user went
>>>> away from the computer, and kill the session.
>>>>
>>> You may have to explain the logic of this a bit better, because on the
>>> face
>>> of it, it makes no sense.
>>> Presumably, if you create a session, it is because the application needs
>>> a
>>> session (aka, needs some information to be preserved between individual
>>> requests of the same user/browser).
>>> Then why would you want it to time out ?
>>
>> This is the sort of behaviour one wants for online banking - the
>> session should be logged out if the user does not do anything for a
>> while, even though the page may be doing background requests.
>>
>
> Allright then, I'll buy that, if somewhat reluctantly.
>
> The creation or retrieval of a session, as far as I understand it, is
> totally under application control.
> In other words, if your servlet (or JSP), when it is called, executes a
> HttpServletRequest.getSession() call, then it will retrieve the existing
> session (or create one if none exists yet); and if it does not call
> getSession(), it will not.
>
> In other words, if you want some requests URLs "not to count" (or "be
> excluded") as far as the session mechanism is concerned, then you just have
> to map these requests (URLs) to a servlet/JSP page which does not do a
> getSession().
>
> Of course, if in order to refresh the information in the browser page, the
> application needs to access information stored in the session, then you have
> a problem.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message