tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Session expiration - browser -Web application
Date Fri, 04 Nov 2011 17:07:00 GMT
Hash: SHA1


On 11/4/11 12:04 PM, Léa Massiot wrote:
> @Tim : Thank you for your answer.
>> [Tim wrote:] "Uncertain" is a bit vague.
> Yes. Ok. This is my understanding which is "uncertain" then. What
> happens is what you wrote: "a new session for the user with _none_
> of the objects from the old session in it".

The new session created is completely empty. It has nothing to do with
the user going back in the history, etc.

If you have a lot of data in the request parameters that can keep the
state of the workflow sane, then that's a different story. I always
try to have enough information in the page (form) so that resuming a
workflow after a session timeout is a possibility. This is something
you will have to code into your own webapp: it's not something Tomcat
can provide for you.

>> [Tim wrote:] If every page in the web app is supposed to require 
>> authentication you need to declare that in web.xml.
> Can you tell me how?

Read-up on the servlet spec, specifically the "authentication and
authorization" sections. Look for <security-constraint> and
<auth-constraint> sections in web.xml.

>> [Tim wrote:] I'm assuming (perhaps incorrectly) you've already
>> got some declaration in there for form authentication?
> What are you thinking about? Can you be more precise?

If users are logging-into your webapp, presumably they are providing a
username and password (or other credentials): where do you have that

- -chris
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools -
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message