tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Josh Simmons <>
Subject RE: Session cookie max age
Date Thu, 14 Jul 2011 00:13:20 GMT
Our web.xml file minus listeners and servlet config.  I also removed some taglib definitions.

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE web-app
    PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"

<web-app xmlns=""
		<filter-name>Performance Log Filter</filter-name>
		<filter-name>Performance Log Filter</filter-name>
<!-- the session should last 180 min. -->

  <!-- The Usual Welcome File List -->



The problem with the filter you are speaking of is that it actually adds multiple cookies
to the request.  While most people say that they haven't found this to cause problems - we
actually did find that it caused users problems.  Firefox accepts the last cookie sent, but
I've found reports saying that IE accepts the first cookie.  I'm not really sure what was
going on, but the patterns were extremely inconsistent and hard to replicate.  All I know
is that  we had people turn off cookies completely on our website and things started working
again.  That was the reason we upgraded to tomcat7 in the first place.

-----Original Message-----
From: Christopher Schultz [] 
Sent: Wednesday, July 13, 2011 5:43 PM
To: Tomcat Users List
Subject: Re: Session cookie max age

Hash: SHA1


On 7/13/2011 5:15 PM, Josh Simmons wrote:
> I was afraid I wasn't being specific enough - sorry.
> <session-config> <session-timeout>180</session-timeout>
> <cookie-config> <max-age> 10800 </max-age> </cookie-config> 
> </session-config>

Can you post your entire web.xml? You can remove all the servlet, listener, and security constraint

> We do not want to use the default cookie max age of -1 for our session 
> cookie. We would like for our session to persist across browser 
> restart (I know this might be frowned upon but it’s a stepping stone 
> towards the correct solution) - so in order to do so we set the max 
> age of our session cookie to 3hours , the same as our  timeout.


> While the jsessionid might not be changing for every request, the 
> timeout is changing with every request.

Okay, now I get it. You expect Tomcat to set the cookie's max age to be NOW + 180 minutes.
That's what I'd expect, too.

> As I stated previously, we can fix this by just configuring our max 
> age to be 24 hours, because ideally no one is going to perfectly keep 
> their session alive on the server for that length of time.
> Hopefully this makes more sense now of what I'm after.

It does. Assuming that you don't have a misconfiguration and that this is a Tomcat bug, you
ought to be able to get around the problem using a Filter that looks something like this:

public class SessionCookieMaxAgeFilter
  implements Filter
  public void doFilter(ServletRequest request,
                       ServletResponse response,
                       FilterChain chain)
    if(request instanceof HttpServletRequest)
      Cookie cookie = getCookie((HttpServletRequest)request));

      if(null != cookie)
        // force the cookie back on the client


  private Cookie getCookie(HttpServletRequest request)
    Cookie[] cookies = request.getCookies();

    if(null != cookies)
      for(int i=0; i<cookies.length; ++i)
          return cookie;

    return null;

Post your configuration and I'll take a look at the code (which may take some time :)

- -chris
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message