tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sharon Prober (sprober)" <>
Subject RE: Session time out never takes place with ajax
Date Thu, 10 Nov 2011 08:11:52 GMT

So to recap, and verify my understanding...
Perhaps I am missing some valve overview.

I understand it is invoked before the filters, but after completion it would arrive to the
filter/servlet container anyway.
So what your saying is that if I build a valve and read information from IO file or/db or
any other cached data which doesn’t trigger a request.getSession
That will work?
And if so, I will still need to "break" the chain and prevent it from continuing deeper into
tomcat or else it will update the session access time

Did I get it right?


-----Original Message-----
From: Christopher Schultz [] 
Sent: Thursday, November 10, 2011 8:04 AM
To: Tomcat Users List 
Subject: Re: Session time out never takes place with ajax

Hash: SHA1


On 11/9/11 12:56 AM, Sharon Prober (sprober) wrote:
> This is my first post here so wish me luck J


> My question is as follow:
> I have a web based application running on tomcat 6.0.29
> On my main page there is a polling ajax call every 5 seconds.
> Clearly this revalidates the session and by that renders the
> session timeout feature unusable


> I read about two main solutions for this issue
> 1.       Coding on the server side (filter) a simple snippet that 
> identifies an ajax call based on a parameter passed and based on
> that knows if this is a valid post or a polling hit that should not
> affect the session expiration date

This is problematic for a few reasons:

1. You usually want a polling request to return something of use, which
   often involves the session. You can't access the session without
   updating its last-accessed-time.

2. Under certain configuration, Tomcat will update the
   last-accessed-time of the session even if you don't call

   This may be only the case in Tomcat 7 with the following
   configuration settings:

   See the org.apache.catalina.core. StandardHostValve.ACCESS_SESSION
   and org.apache.catalina.STRICT_SERVLET_COMPLIANCE system properties

> 2.       Create a stub webapp and redirect the calls of the polling
> to that app

I'm not sure this buys you anything: if you pass-through calls to the
"real" webapp, then you'll still be touching the session.

> So my question is, is there another way for this to be achieved?

It would be best to describe what your "ping" actually does. If it
doesn't require session access, you may have some options.

> Note. I think it might be a cool feature (with the vast ajax use
> these days) to have a configuration in the web.xml the excludes
> various paths/urls from the session validation checkups

This would, by definition, be a violation of the specification.
Instead, something like a Valve placed early in the pipeline could
avoid a session update but still perform some trivial action.

- -chris
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools -
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message