tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sharon Prober (sprober)" <spro...@cisco.com>
Subject RE: Session time out never takes place with ajax
Date Thu, 10 Nov 2011 08:11:52 GMT
Christopher,

So to recap, and verify my understanding...
Perhaps I am missing some valve overview.

I understand it is invoked before the filters, but after completion it would arrive to the
filter/servlet container anyway.
So what your saying is that if I build a valve and read information from IO file or/db or
any other cached data which doesn’t trigger a request.getSession
That will work?
And if so, I will still need to "break" the chain and prevent it from continuing deeper into
tomcat or else it will update the session access time

Did I get it right?

	Sharon

-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net] 
Sent: Thursday, November 10, 2011 8:04 AM
To: Tomcat Users List 
Subject: Re: Session time out never takes place with ajax

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sharon,

On 11/9/11 12:56 AM, Sharon Prober (sprober) wrote:
> This is my first post here so wish me luck J

Welcome.

> My question is as follow:
> 
> I have a web based application running on tomcat 6.0.29
> 
> On my main page there is a polling ajax call every 5 seconds.
> 
> Clearly this revalidates the session and by that renders the
> session timeout feature unusable

Yes.

> I read about two main solutions for this issue
> 
> 1.       Coding on the server side (filter) a simple snippet that 
> identifies an ajax call based on a parameter passed and based on
> that knows if this is a valid post or a polling hit that should not
> affect the session expiration date

This is problematic for a few reasons:

1. You usually want a polling request to return something of use, which
   often involves the session. You can't access the session without
   updating its last-accessed-time.

2. Under certain configuration, Tomcat will update the
   last-accessed-time of the session even if you don't call
   request.getSession().

   This may be only the case in Tomcat 7 with the following
   configuration settings:

   See the org.apache.catalina.core. StandardHostValve.ACCESS_SESSION
   and org.apache.catalina.STRICT_SERVLET_COMPLIANCE system properties
   here:
http://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html#Sessions

> 2.       Create a stub webapp and redirect the calls of the polling
> to that app

I'm not sure this buys you anything: if you pass-through calls to the
"real" webapp, then you'll still be touching the session.

> So my question is, is there another way for this to be achieved?

It would be best to describe what your "ping" actually does. If it
doesn't require session access, you may have some options.

> Note. I think it might be a cool feature (with the vast ajax use
> these days) to have a configuration in the web.xml the excludes
> various paths/urls from the session validation checkups

This would, by definition, be a violation of the specification.
Instead, something like a Valve placed early in the pipeline could
avoid a session update but still perform some trivial action.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk67aUkACgkQ9CaO5/Lv0PBl2ACdHDKUqQ/zkT0dfc63MFELStLK
+a4An3kuFz39fXKymLVFBqYRMQ9xWUbX
=naid
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Mime
View raw message