tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Martin O'Shea" <>
Subject RE: Session management issue with Tomcat
Date Thu, 22 Sep 2011 18:49:11 GMT
To answer your questions:

Is there a reason this data is in a custom cookie, rather than the
session, via setAttribute()?

The cookie is dedicated and meant to be persistent. The idea is that a user
is recognised by the system upon returning to the website after having been
away for some time. Hence, the userid is stored in the cookie, so that when
the user returns to the homepage, the homepage can read the cookie, and
present that user's recent list on the page.

What is the expiry time of the custom cookie?

The cookie is set for a year.

How exactly are you invalidating this other cookie, when you
invalidate the session?

I assume you mean Tomcat's session and not the browser's sessions. The
Tomcat sessions are not being invalidated at the moment. 

The underlying principle here is that if multiple users use the same PC, and
maybe even the same session in a browser, a single cookie is used to store a
userid. Various system pages have a login facility and if invoked, the
cookie is rewritten with the current user's id. But this is where the Back
button issue occurs so it may be that session invalidation  solve my

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message